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Preface 



The 4th Australasian Conference on Information Security and Privacy was held 
at the University of Wollongong, Australia. The conference was sponsored by 
the Centre for Computer Security Research, University of Wollongong, and the 
Australian Computer Society. The aim of the conference was to bring together 
people working in different areas of computer, communication, and information 
security from universities, industry, and government institutions. The conference 
gave the participants an opportunity to discuss the latest developments in the 
quickly growing area of information security and privacy. 

The program committee accepted 26 papers from 53 submitted. From those 
accepted, thirteen papers were from Australia, two each from Belgium and 
China, and one each from Austria, Belarus, France, India, Japan, Korea, Singa- 
pore, the USA, and Yugoslavia. Conference sessions covered the following topics: 
access control and security models, network security. Boolean functions, group 
communication, cryptanalysis, key management systems, electronic commerce, 
signature schemes, RSA cryptosystems, and odds and ends. 

We would like to thank the members of the program committee who ge- 
nerously spent their time reading and evaluating the papers. We would also like 
to thank members of the organising committee and, in particular, Chris Char- 
nes, Hossein Ghodosi, Marc Gysin, Tiang-Bing Xia, Cheng-Xin Qu, San Yeow 
Lee, Yejing Wang, Hua-Xiong Wang, Chih-Hung Li, Willy Susilo, Chintan Shah, 
Jeffrey Horton, and Ghulam Rasool Chaudhry for their continuous and tireless 
effort in organising the conference. Finally, we would like to thank the authors of 
all the submitted papers, especially the accepted ones, and all the participants 
who made the conference a successful event. 
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Boolean Function Design Using Hill Climbing 

Methods 



William Millan, Andrew Clark, and Ed Dawson 



Information Security Research Center, 
Queensland University of Technology, 

GPO Box 2434, Brisbane, Queensland, Australia 4001. 
FAX: +61-7-3221 2384 

Email: {millan, aclark,dawson}@f it . qut . edu.au 



Abstract. This paper outlines a general approach to the iterative incre- 
mental improvement of the cryptographic properties of arbitrary Boolean 
functions. These methods, which are known as hill climbing, offer a fast 
way to obtain Boolean functions that have properties superior to those of 
randomly generated functions. They provide a means to improve the at- 
tainable compromise between conflicting cryptographic criteria. We give 
an overview of the different options available, concentrating on reducing 
the maximum value of the Walsh-Hadamard transform and autocorrela- 
tion function. A user selected heuristic allows the methods to be flexible. 
Thus we obtain Boolean functions that are locally optimal with regard 
to one or more important cryptographic properties such as nonlinearity 
and global autocorrelation. 



1 Introduction 

Cryptography needs ways to find good Boolean functions so that ciphers can 
resist cryptanalytic attack. The main properties required are high nonlinearity 
and low autocorrelation, so that linear cryptanalysis and differential crypt- 
analysis P do not succeed faster than exhaustive key search. 

In the past the main options for Boolean function design have been random 
generation and direct construction. Both of these methods have drawbacks. It is 
difficult to find functions with truly excellent properties via random search, due 
to the vast size of the search space. Direct constructions can produce functions 
that are optimum with regard to the designed property, but they may be weak 
for other cryptographic criteria such as algebraic complexity. Inherent tradeoffs 
exist between the main cryptographic criteria, and determining the optimum 
compromise attainable is still an open problem. 

A technique called hill climbing was introduced in [3|. The basic idea of 
hill climbing is to slightly alter a given Boolean function so that a property 
of interest, such as nonlinearity, is improved. The results of 0 showed clearly 
that hill climbing was able to considerably improve the nonlinearity of randomly 
generated Boolean functions. It was shown in 0 that the genetic algorithm was 
also effective in Boolean function design and then further advances in the genetic 
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algorithm technique were reported in 0 . These papers also showed that applying 
hill climbing to the result of the genetic algorithm often improved the results. 
However only the most basic hill climbing approach was considered. 

In an effort to provide an effective and flexible design tool, we concentrate in 
this paper on variations and improvements on the basic hill climbing approach. 
Firstly, we extend hill climbing to include improvements to the autocorrelation 
function, then we examine a variety of hill climbing methods that produce Boo- 
lean functions which are locally optimal with regard to combinations of user 
selected criteria. Our techniques are able to improve both nonlinearity and ab- 
solute global autocorrelation, either separately or in combination. 

This paper is structured as follows. Firstly we review Boolean function pro- 
perties. In Section 0 we present a simple, complete and direct derivation of the 
rules for strong hill climbing, an overview of generalised hill climbing options, 
and a statement of “weak” rules (that improve performance). The experimental 
results of Section^ show the advantage of the technique over random generation, 
and demonstrate that combinations of properties can be improved. Finally, we 
make comments on some further research directions. 



2 Boolean Function Properties 



In this section we review some of the important and well known cryptographic 
properties of Boolean functions. We let f{x) denote the binary truth table of 
a Boolean function. A Boolean function with n input variables is said to be 
balanced when the Hamming weight is 2"“^. Balance is a primary cryptographic 
criterion: it ensures that the function cannot be approximated by a constant 
function. 

A useful representation is the polarity truth table: f{x) = When 

f{x) = 0, f{x) = 1 and when /(x) = 1, we have /(x) = —1. An important 
observation is that h{x) = f{x)(Bg{x) <J=> h{x) = f{x)g{x) holds for all Boolean 
functions. The Hamming distance between two Boolean functions is a measure of 
their mutual correlation. Two functions are considered to be uncorrelated when 
their Hamming distance is equal to 2"’“^ or equivalently when f{x)g{x) = 0. 

We denote a linear Boolean function, selected by w S ^2 as L^{x) = wiXi 0 
UJ 2 X 2 © • • • 0 uJnXn- A linear function in polarity form is denoted L^{x). The set 
of ajfine functions comprises the set of linear functions and their complements: 
= Luj{x) 0 c. The nonlinearity of a Boolean function is the minimum 
Hamming distance to any affine function. The nonlinearity may be determined 
from the Walsh-Hadamard transform (WHT): F{lo) = /(*)Acj(a:) by Nf = 

1(2” — WHjnax), where WHmax is the maximum absolute value taken by F{io). 
Hence, reducing WHmax will increase the nonlinearity. 

A result known as Parseval’s Theorem states that = 2^”. It fol- 

lows that 2^ < WHmax- For even n, the set of functions that achieve this lower 
bound are known as bent functions 0| . They have the maximum possible nonli- 
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nearity, but are never balanced. It is an important open problem to determine 
the set of balanced functions which maximise nonlinearity. 

The autocorrelation function (AC) is also important for cryptographic ana- 
lysis. It is defined as ff{s) — denote the maximum 

absolute value taken, for s 0, as ACmax- (When s = 0, f(0) = 2" for all 
functions.) Good cryptographic functions have small ACmax- For example the 
bent functions have f(s) = 0 for all s 0 The naive calculation of the 
autocorrelation function is not feasible for moderate n. However, the following 
well-known theorem shows that the autocorrelation function can be calculated 
by the inverse Walsh-Hadamard transform applied to the square of the WHT. 
For all u) it is true that 



fy(s)(-l)-“=(A(u;))'. 

sez" 

A direct proof of this result appears in |^, or it may be obtained by seeing 
the Walsh-Hadamard transform as a kind of Fast Fourier transform and invoking 
the convolution theorem. 

Upper bounds on the nonlinearity of Boolean functions have been found in 0 
which make direct use of the values of the autocorrelation function. In particular, 
we have Nj < 2”“^ — |-v/2” -|- ACmax- Some of the methods presented in this 
paper are intended to decrease ACmax directly. Our results have shown that, as 
expected, the distribution of nonlinearity is also improved in this case. 



3 Hill Climbing Methods 

The hill climbing approach to Boolean function design was introduced in as 
a means of improving the nonlinearity of a given Boolean function by making 
well chosen alterations of one or two places of the truth table. It easy to show 
that any single truth table change causes A-wht{<-^) G {~2,2} for all w. Any 
two changes cause Awht{^) & {—4,0,4}. When the two function values satisfy 
f{xi) y^ f{x 2 ) then the Hamming weight will not change. By starting with a 
balanced function, we can hill climb to a more nonlinear balanced function by 
the method presented in |0. That approach did not make an alteration to the 
truth table unless the nonlinearity is improved by such a change. In this paper 
we examine the approach of allowing changes so long as the property is not made 
worse. We may also make this choice seperately for both transform domains. 

The distinction between the hill climbing options is based on the idea that 
we can require strong, weak or no improvement in either or both of WHmax 
and ACmax- A strong option requires that the property must be improved at 
each step. A weak option ensures that the property does not get worse: it may 
improve or stay the same. When no requirements are placed on a property, it 
is not considered in assessing whether an input pair may be changed. The nine 
options are shown in Figured We note that 0 considered the option of strong 
WHT and no AC. The theory of that option is analysed in Section li.ll We 
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AC 

Restrictions 



WHT Restrictions 





None 


Weak 


Strong 


None 


equivalent to 
random 
generation 


Slowly improves WHT 
while AC is ignored. 


WHT Hill Climbing. 
See [6] 


Weak 


Slowly improves AC 
while WHT is ignored 


Never gets worse for 
either property 

Moves along saddles 


Improve WHT 
while AC does 
not get worse 


Strong 


AC Hill Climbing 

See Section 3.2 
of this paper 


Improve AC while 
WHT does not get worse 


Most restrictive option 
Stops at saddles 



Fig. 1. An Overview of Hill Climbing Methods 



introduce the complementary option (strong AC and no WHT improvement) in 
Section rO In Section m we present the tests required to ensure that the WHT 
and the AC are not made worse by the choice of input pair to change. 

3.1 Improving Nonlinearity 

The recent paper jSj has introduced the strong requirements for improvement of 
the WHT alone, for one and two changes to the truth table. Here we briefly give 
a more general derivation of the rules for the two change case. 

Consider a given Boolean function f{x) in polarity truth table form f{x). 
Now let the truth table output be complemented for two distinct inputs xi and 
X 2 - We have g{xi) = —f{xi) for i S {1,2}, and g{x) = f{x) for other x. Now 
consider the WHT of g{x). 



G(uj) = ^g{x)L^{x) 

X 

= g{xi)L^{xi) + g{x2)L^{x2) + ^ g{x)L^{x) 

X^{X\,X2} 

= - {f{xi)L^{xi) + f{x2)L^{x2)^ + ^ f{x)L^{x) 

X^{X\ ,X2} 

We will naturally define the change in the WHT value for all lo as 
‘^wht{^) = G{uj) — F{u). 
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It follows directly that 

Awht(uj) = -2f{xi)L^{xi) - 2f{x2)L^{x2). ( 1 ) 

This result can be used directly to quickly update the WHT each iteration of 
a 2-step hill climbing program. It is now a straightforward matter to determine 
the conditions required for the choice of (xi,X 2 ) to complement so that the 
WHT values change as required. It is clear that two truth table changes ensure 
Awht{^) C {—4,0, -1-4}. As in all hill climbing methods, we assume f{xi) yf 
f{x 2 ) has been fixed, so that the Hamming weight does not change. We have 

both f{xi) = L^{xi) for i G {1,2}, 
both f{xi) yf L^{xi) for i G {1,2}, 
not both f{xi) = L^{xi) for i G {1,2} and 
not both f{xi) yf L^{xi) for i G {1,2}. 

which specifies the tests for all conditions of interest in 2-step hill climbing. 
When we require definite improvement of the WHT (the strong option: WH^ax 
must decrease), take no account of autocorrelation, and wish to maintain the 
Hamming weight, then we may complement the truth table output for any pair 
(xi,X 2 ) that satisfies all of the following conditions: 

(i) f{xi) y^ f{x2) 

(ii) both f{xi) = L^^{xi) for i G {1,2}, for all {u> : F{oj) = WHmax} 

(hi) both f {xi) yf L^(x^) for i G {1,2}, for all {w : f(u;\= -WH^r^ax} 

(iv) not both f{xi) yf L^{xi) for i G {1, 2}, for all {w : F^u) = WFlmax ~ 4} 

(v) not both f {xi) = Lc^(xi) for i G {1, 2}, for all {w : f(uj) = —WFI^ax + 4}. 

These conditions are equivalent to the ones presented in |0. We now use the 
same approach to derive the tests required for improvement of the autocorrela- 
tion. 

3.2 Improving Autocorrelation 

Consider changing a Boolean function f{x) by complementing the output for two 
distinct inputs Xi and X 2 , creating a function g{x) with autocorrelation given 
by: 

X 

= 2g{xi)g{xi® s) + 2 g{x 2 )g(x 2 ® s) + ^ g{x)g{x®s) 

x^{xi ,tC2,aii©s,ai2®s} 

= -2f{xi)f{xi® s) - 2 f{x 2 )fi^ 2 ® s) + ^ f{x)f{x®s). 

X^{xi,X2,Xi^S,X2^s} 



Awht(x!) = —4 ^ 
Awht{x>) = +4 ^ 
Awht{x>) yf —4 ^ 
AwHTiix) yf +4 ^ 
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For each s ^ 0 , the change in the value of autocorrelation is 
Aac{s) =fg{s) -r/(s) 

= - 2 f{xi)g{xi © s) - 2f{x2)g{x2 © s) - 2 f{xi)f{xi © s) - 2f{x2)f{x2 © s) 

We need to examine the particular case when xiOx2 = s, since then we have 
g(xi © s) = g{x2) = —f{x2) and g{x2 © s) = g{x\) = —f{xi). In this case the 
formula for autocorrelation changes collapses to 



A Ac{s = Xi®X2) =Q. ( 2 ) 

In the remaining general case, we have 

Aac{s Xi © X2) = - 4 /(xi)/(xi © s) - 4 /(x 2 )/(x 2 © s). ( 3 ) 

Noting that the pair (a;i,a;2) was chosen so that f{x\) ^ f{x 2 ), we can 
determine that 



Aac{s) = -8 <1=^ both f{xi) = f{xi © s) for t G {1, 2}, 

Aac{s) = +8 <1=^ both f{xi) ^ f[xi © s) for t G {1, 2}, 

Aac(s) ^ —8 not both f{xi) = f{xi © s) for i G {1,2} and 
Aac{s) ^ +8 <1=^ not both f{xi) ^ /(x* © s) for i G {1,2}. 

When we require definite improvement of the AC (the strong option: ACmax 
must decrease), take no account of the WHT, and wish to maintain the Hamming 
weight, then we may complement the truth table output for any pair (xi,X 2 ) 
that satisfies all of the following conditions: 

(i) f{xi) f{x 2 ) 

(ii) Xi © X 2 yf s and both f{xi) = f{xi © s) for i G {1,2}, for all {s : r{s) = 
ACrnax } 

(iii) xi © X 2 yf s and both f{xi) yf f{xi © s) for i G {1,2}, for all {s : r{s) = 

ACrnax} 

(iv) if xi © X 2 yf s then not both f{xi) yf f{xi © s) for i G {1,2}, for all {s : 

= ACmax 8} 

(v) if xi © X 2 yf s then not both f{xi) = f{xi © s) for i G {1,2}, for all {s : 
f^(s) = —ACmax + 8}. 



3.3 The Weak Improvement Option 

Weak requirements are those that guarantee the properties will not be made 
worse by the truth table alteration. The advantage of this approach is that 
“saddles” in the property terrain may be traversed, allowing the search space 
to be more fully explored, and allowing the iterated hill climbing algorithm to 
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locate better local optima. Moving along saddles is prohibited in the strong hill 
climbing algorithms. More iterations may be performed using weak constraints, 
not all of which will improve the properties. However, fewer conditions are tested 
for each candidate pair during each iteration. Our experiments reveal the relative 
performance of weak and strong hill climbing algorithms. 

We may state the weak conditions directly. As usual we require f{xi) yf 
/(X 2 ). For WHraax not to increase we must choose the pair such that: 



^WHT ^ +4 for all {u> : F{ui) = WHmax} 
^WHT ^ —4 for all {u> : F{ui) = —WFlmax}- 

Similarly, for AC^ax not to increase we check that: 

Aac ^ +8 for all {s : f(s) = ACmax} 

Aac ^ -8 for all {s : f(s) = -ACmax}- 



4 Implementation and Results 

To implement these techniques, we simply test all pairs (a:i, X 2 ) until one is found 
that satisfies all required conditions for the option chosen. For each pair, we stop 
testing as soon as one condition is failed. A pair that passes all tests is in the 
improvement set. (We keep this nomenclature even for the weak cases: we take 
the improvement set to be the set of pairs which satisfy our option.) We can 
either find the full improvement set and then select an arbitrary pair, or just use 
the first valid pair found. 

We have examined the five options which include one or both strong options. 
Each experiment was conducted on one million, eight variable balanced Boo- 
lean functions, generated uniformly at random. For each heuristic option, the 
corresponding hill climbing tests were performed to select a pair of truth table 
positions to change. The process is iterated until no suitable pairs are found. At 
that point we have found a Boolean function that cannot be altered in any two 
places without violating the chosen heuristic option. The properties of interest 
are the value of nonlinearity (calculated from WFlmax) and the value of ACmax- 
A cryptographically strong function has high nonlinearity and low ACmax- The 
five heuristic options are: strong for WHT and strong for AC, strong for WHT 
and weak for AC, strong for WHT and ignore AC, strong for AC and weak for 
WHT, and strong for AC and ignore WHT. We present our results in four graphs. 
Each graph depicts the frequency distribution of either ACmax or nonlinearity, 
for the cases where either the WHT rule is strong or the AC rule is strong. Note 
that the case of both strong appears on all graphs. Also on all graphs we have 
included the distribution of random balanced functions for reference. In all cases 
the hill climbing heuristics considered were superior to random generation. 

In Figure El we show the nonlinearity distribution for the options in which 
strong rules were used for WHT and no, weak or strong rules were used for AC. 
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Nonlinearity distribution - WH Strong (n=8) 




Fig. 2. Nonlinearity distribution for various strong WHT options 
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Fig. 3. ACmax distribution for various strong WHT options 
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It is clear that weak AC rules and no AC rules allowed high nonlinearity to be 
achieved more frequently than when strong AC rules were applied. There was 
effectively no difference in the nonlinearity performance between the case of no 
and weak AC rules. In Figure Qwe show the distribution of ACmax for the same 
set of heuristics. Here the advantage of weak rules over no rules is apparent in 
that lower ACmax is obtained. Of course strong rules for AC resulted in even 
lower values of ACmax being obtained. It is interesting to note that even with 
strong WHT rules and no AC rules, the distribution of ACmax is improved over 
that of random functions. This illustrates the qualitative connection between the 
maximum values of WHT and AC. 




32 40 48 56 64 72 80 88 96 104 112 

ACmax 

Fig. 4. ACmax distribution for various strong AC options 



In Figure Ewe show the ACmax distribution for the options in which strong 
rules were used for AC and no, weak or strong rules were used for WHT. It 
is clear that weak WHT rules and no WHT rules allowed low ACmax to be 
achieved more frequently than when strong WHT rules were applied. There 
was effectively no difference in the ACmax performance between the case of no 
and weak WHT rules. In Figure 0we show the distribution of nonlinearity for 
the same set of heuristics. Here the advantage of weak rules over no rules is 
again apparent in that high nonlinearity is obtained more frequently. Of course 
strong rules for WHT resulted in even higher nonlinearity being obtained. It 
is interesting to note that even with strong AC rules and no WHT rules, the 
distribution of nonlinearity is improved over that of random functions. This is 
another illustration of the qualitative connection between the maximum values of 
WHT and AC. Depending on the emphasis of desired properties, we recommend 
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Nonlinearity distribution - AC Strong (n=8) 




Fig. 5. Nonlinearity distribution for various strong AC options 



strong rules for the most desired property, and weak rules for the other. This 
does not impair the performance with respect to the most important property, 
but allows better performance with regard to the secondary criterion. 

So far we have considered only static heuristics: in which the initially chosen 
option remains in force throughout all iterations of the hill climbing algorithm. 
It is possible to use a more flexible approach: dynamic heuristics, in which the 
option chosen is different for successive steps of the iterative hill climbing al- 
gorithm. This may be fixed (for example alternating between two particular 
options) or adaptive (in which some observed property of the current function is 
used to select the option used in the next step). These approaches may provide 
better performance than the fixed static heuristics introduced here. 

Hill climbing methods are known to improve the performance of genetic algo- 
rithms in the search for good cryptographic functions . An interesting avenue 
for future research is the investigation into the details of how these approaches 
combine. 
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Abstract. We introduce new ideas to tackle the enumeration problem 
for correlation immune functions and provide the best known lower and 
upper bounds. The lower bound is obtained from sufficient conditions, 
which are essentially construction procedures for correlation immune fun- 
ctions. We obtain improved necessary conditions and use these to derive 
better upper bounds. Further, bounds are obtained for the set of fun- 
ctions which satisfy the four conditions of correlation immunity, balan- 
cedness, nondegeneracy and nonaffinity. Our work clearly highlights the 
difficulty of exactly enumerating the set of correlation immune functions. 

Keywords : Correlation Immunity, Enumeration, Boolean Function, 

Stream Cipher, Nonlinearity, Balancedness, Nondegeneracy, Symmetry. 



1 Introduction 



Weakness of Boolean functions against correlation based cryptanalytic attack 
was introduced by Siegenthaler. He proposed a divide and conquer attack on 
nonlinear combining functions used in LFSR based stream cipher systems m- 
Towards the resistivity against such divide and conquer attack, Siegenthaler in- 
troduced the concept of correlation immunity of Boolean functions in |1 2| . His 
idea of correlation immunity was based on information theoretic measures using 
the concept of mutual information 0. A characterization of information theo- 
retic notion of correlation immunity, based on Walsh transform, is given in 
Construction of correlation immune functions having properties of balancedness, 
nonlinearity and good algebraic degree have also been considered 
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Mitchell 0 identified some of the enumeration problems for Boolean func- 
tions including correlation immunity. One of the reviewers has kindly pointed 
out that the enumeration problem for (balanced) correlation immune functions 
were earlier tackled by Wei Juan Shan in her MSc thesis (1987) and part of her 
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results were published in US]. Following Mitchell 0, we define several important 
cryptographic properties of Boolean functions. The definitions are for a scalar 
valued Boolean function, since in most cases (except balancedness) the enume- 
ration problem for vector valued Boolean function can be trivially reduced to 
that of the scalar valued one. 

Definition 1. Let f{Xn, ■ ■ ■ ^ ^i) he a Boolean function. 

Cl. Balance. The function f is balanced if the number of ones in its output co- 
lumn is equal to the number of zeros. 

C2. Nonaffinity. The function f is linear/affine if it can be written as 

f{Xn , . . . , Xi) = OiXi © b, where Oi, b € {0, 1}. The function f is nonaf- 

fine if it is not linear /affine. 

C3. Nondegeneracy. The function f is degenerate if there exists at least one va- 
riable Xi € {Xn . . . , Xi}, such that, /(X„, . . . , 0, Xi-i , . . . , X/ = 

, Xi-i, . . . , Xi). The function f is nondegenerate if it is not 

degenerate. 

C4. Correlation Immunity. The function f is correlation immune if 
Prob{f — Xi) = |,Vi, 1 < f < n. 

C5. Symmetry. The function f is symmetric if f{Xn, . . . ,Xi) is same for all the 
vectors {Xn, . . . , Xi} of same Hamming weight. 

Let An/i, . . . ,i/) be the set of n variable Boolean functions which have the 
properties Cii , . . . , Cf. The set of all Boolean functions of n variables is denoted 
by fin, and the set of all correlation immune (Cl) Boolean functions of n variables 
is denoted by An, i.e., An = An{A). It should be noted that by correlation 
immunity we here mean correlation immunity of order 1. We also denote by 
Bn = fin the Set of all n variable non correlation immune (NCI) functions. 

Recently counting of Cl Boolean functions has received a lot of attention 
as evident from PF) . Here we provide the best known lower (Subsection IthitV 
and upper (Section w hounds on \ An |. We derive the lower bounds based on 
sufficient conditions which are essentially detailed construction procedures. The 
construction provided in Theorem 3 of m and Lemma 2 of are special 
cases of our technique. The upper bound is based on necessary conditions which 
are refinements of those provided in 0. Our analysis indicates that it will be 
difficult to obtain better lower and upper bounds using this kind of construction 
technique (See Remark [P E] EJ. 

Next we briefly review the work that has already been done on enumeration 
of Cl functions. A lower bound of 2^ was presented by Mitchell in 0. The 
currently known lower bounds for | A„ | are as follows. 

(1) I A„ I > 22"“' + 2" - 2n + 22"“^ - 2”"3 by Yang et al, in JH]. 

(2) I An I > I An -1 1^ by Park et al in 0. There | A^ \ has been enumerated 
exactly. 

Now, I An I being exactly enumerated for some n, the bound in (2) is always bet- 
ter than that given in (1) for all the consecutive values of n. We provide separate 
improved lower bounds for both (1) and (2) above. Yang and Guo |l4| provi- 
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ded an upper bound | I < ELo Er=o (^V) (T-r) • An improvement 

I An I < E j=o ( ^ j obtained by Park et al [3| . 

We also consider the problem of enumerating A„(l,2,3,4). It has been ob- 
served by Mitchell 0, Page 164] that enumerating An(3,4) is a nontrivial task. 
These were also considered in na The results in 1811411 extensively used the 
principle of inclusion and exclusion and so the enumeration is not constructive. 
In Theorem 9] the problem of enumerating A„(l,2,3,4) is reduced to the 
problem of enumerating yl„(l,4). Also a lower bound on | A„(l,4) | does not 
immediately provide a lower bound on | A„(l, 2, 3, 4) | using inclusion and exclu- 
sion. We argue convincingly that a lower bound on | A„(l,4) | can be easily used 
to present a lower bound on | A„(l,2,3,4) | (see TheoremlBl SectionEJ. Using 
constructive methods we provide lower bounds on | A„(l,4) | in Section 0 We 
also clarify the Mitchell’s conjecture |H| on A„(l, 2, 3, 4, 5). Our techniques and 
results are significantly different from those of iHm. 

Throughout the paper C denotes subset and C denotes proper subset. Given 
the truth table of a function f of n input variables, we denote the output column 
of / in the truth table as / itself, i.e. we also interpret / as a binary string. 
We write / = /“/^ where /“ (respectively /*) is the upper half (respectively 
lower half) of /. The strings /’' and /° are respectively the reverse and bitwise 
complement of /. For / S we interpret each of the columns (n inputs and 
1 output) in the truth table as a string of Os and Is of length 2”. Thus by Xi 
we mean the string corresponding to the fth column (from the right) in the 
truth table. Hamming weight or simply the weight (number of Is in S) of S is 
denoted as wt{S). The Hamming distance between two strings 5'i,S'2 of same 
length (say A) is denoted as D{Si,S 2 ) and the Walsh Distance is defined as, 
wd{Si,S 2 ) = = S 2 )-#{Si ^ S 2 ).Xote that wd{Si, S 2 ) = X-2 D{Si, S 2 ). 

Further, C/Wfyfy) = {/ e A„ | wt{f) = a} and NCIWn{a) = {/ e | 
wt{f) = a}. These are required to denote the functions of same weight. We 
write Cn{a) = \ C'JHfy(a) | and A^„(a) = | NCIWn{a) |. By C^{a) we mean 
(C„(a))^. Note that C/IF„(2”“^) = A„(l,4). Please refer to the Appendix for 
most of the proofs in the following sections. 



2 Preliminary Results 

First we present a few important technical results without proof. 

Lemma 1. Prob{f = E) = | iff #(/ = 1 | A, = 0) = #(/ = 1 | W = 1). 
Consequently, f G An iff D{f,Xi) = 2"“^ (wd{f,Xi) = 0), Vz, 1 < z < n. 

Lemma ^ is a simpler version of the Walsh transform characterization of Cl 
functions (see |^). If / is Cl, then considering the leftmost variable of the truth 
table, we get, wt{f^) = wt{ff). Consequently, if wt{f) is odd, then / is NCI. 



^ Note that right hand side of Theorem 9, item(iii) E3 should have A„^_r,i(l,4) 
instead of Am-T,i (4). 
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Proposition 1 . Consider hi,h 2 € with wt{hi) = wt{h 2 ) and f € fin 

with f = hih 2 - 

(1) If both hi,h 2 € An-i then f € An- (2) If hi € An-i and /12 C Bn-i then 
f & Bn- (3) If hi = h 2 then f € An- (4) If hi G Bn-i and hi = /12 then f € Bn- 
(5) If both hi,h 2 G Bn-i, with hi 7 ^ /12 and hi 7 ^ / 12 ; then f may or may not 
belong to An (see Remark\T\)- ( 6 ) If f € An then either both /ii,/i 2 S An-i or 
both hi,h 2 € Bn-i- 

Remark L The main bottleneck in enumerating Cl functions is item 5 of Pro- 
position i.e., it is possible to concatenate two NCI functions of same weight 
and obtain both Cl and NCI functions. We provide two such examples. 

Let hi = 1000 and /i 2 = 0100, where, /ii,/i 2 S B 2 and hi 7 ^ /i 2 , hi ^ Let 
/ G l7a, where, / = hih 2 = 1000 0100. Then / G B 3 , i.e., / ^ A 3 - 
Let hi = 10000100 and /12 = 00010010, where, hi,h 2 G B 3 and hi 7 ^ / 12 , hi 7 ^ h^- 
Let / G C 4 , where, / = hih 2 = 10000100 00010010. Then / G A 4 - 
For a complete enumeration of Cl functions, it is necessary to identify when con- 
catenation of two NCI functions of the same weight gives rise to a Cl function. 
This, in general, is difficult. Here we provide partial solution to the problem. 

Lemma 2. Let f{Xn , . . . , Xi) be a Boolean function of n variables- Then f is 
Cl iff for any Xi, 1 < i < n, wt(fSzXi) = wt(fSzXi), where S 1 SZS 2 is the 
bitwise AND of Si and S 2 - 

Lemma|3is another characterization of Cl functions (see also Lemma 5 of |14|L 
Based on LemmaQ we can use the principle of inclusion and exclusion to obtain 
an expression for | An \- Let at = {/ G | wt{fkXi) 7 ^ wt{fkXf)}- and 

di = fin — tti- Let N{ai) = \ Ui \ and denote at fl aj by 0 ^ 07 . Then we get the 
following. 

Theorem 1. = di fl . . . fl o"„ and hence | | = N{di . . . oh) = 2^" — 

(!()iV(ai) + {l)N{aia 2 ) ---- + (-1)" C:)7V(ai . . . a„). 

Proof : The first statement follows from Lemma|21 The second statement follows 
from the principle of inclusion and exclusion and noting that for any choice of 
ii, - - - ,ir from { 1 , . . . ,n}, N{ai^ . . . = N{ai . . . a^). □ 

This expression seems difficult to handle, since it is complicated to evaluate 
N(ai - - - Or) for arbitrary r. However, it can be shown N(ai) = 2^ — 

The principle of inclusion and exclusion has been extensively used in [M 1 . So 
even if TheoremCI does not provide a practical method of enumeration, the result 
by itself is quite interesting. We also use generating functions to provide bounds 
for C'fc(a), which is explained in Appendix Al. In m, it was commented that 
I An I can be represented as ( 2 ^" ^)'^", with c„ between 1 and 2 . Since, | A„ | > 

I An-i 1^, Cn is strictly increasing, and it is interesting to find out whether this 

limit is strictly less than 2. Let (2 f i i j ’ upper bound 

on I An I provided in |3j. Then it can be checked that lim„_,.oo cr = 2. However, 
the expression of the form ( 2 ^" is not very useful for clear estimation of 
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|. Let (22-^)- 



^ 2 f(n) ? T constant, and f(n) a polynomial of n. Then 



even if lim„_>oo cr = 2, we get, lim„_>oo 



^71 



0, giving the indication that 



the number of correlation immune Boolean functions is very few compared to 
the set of all Boolean functions. ^From the above discussion it is clear that 
exact enumeration of | An | will be difficult using the techniques discussed in 
this section and so in the next two sections we concentrate on lower and upper 
bounds for | |. 



3 Lower Bounds 

In this section we discuss different techniques to attain lower bounds on | A„ | . 

3.1 Basic Construction 

Here we describe a construction technique which improves the lower bound re- 
ported in m- Mitchell 0 showed that | A„ \ has a lower bound of 2^ by 
showing that the set of Boolean functions, with the property that inverting the 
input leaves the output unchanged, is CL We restate the same as follows. 

Lemma 3. = {F G fin \ F palindrome } C Also, \ Dn | = 2^ 

Next we show / may be Cl even if / is not a palindrome. We define two sets in this 
direction. = {S'i«S'[S' 2 S '2 | wt{Si) = wt{S2), and Si ^ 82,81,82 G fIn-2}, 
Dl = {SS‘^S^S I wt{8) ^ 2 "- 3 , 8 G fin-2, 8 ^ S'-}. 

Lemma 4. (1) D^,Dl,Dl are disjoint proper subsets of An, (2) \ Dn \ = 
and ( 3 ) \Dl\ = 2 ^^^ - {tH) - { 2 ^^^ - 

The following theorem is immediate from LemmaOland Lemma^which provides 
a significantly improved lower bound than (2^ -|- 2” — 2n-|- 2^ — 2"“^) given 

in H3- The bound in m is obtained from several quite complicated subsets of 
Cl functions (see Lemma 4 of [FI 4jl . Our construction is much simpler. 

Theorem 2. | | > 22-^ + + [iZl). 



3.2 Recursive Construction 

In this subsection we provide construction methods for correlation immune func- 
tions which in turn improve the bound given in |0. Let us consider the following 
construction where F G fin and f,g G fin-i- 
F{Xi,X2,...,Xn) = fiXi,X2,...,Xn-l)iUBXn-l){UBXn) 

® g{Xl,2(i2, ■ ■ ■ , ® Xn) ® g(Xi, X 2 , ■ ■ ■ , Xn-l)(l © Xn-l)Xn 
(B f{Xi,X2,...,Xn-l)Xn-lXn. ( 1 ) 

Park et al 0 had shown that if / and g are Cl (/, g G then F given by ( 1 ) 

above is also CL From this they obtained the inequality | | > | An-i |^, n > 

3. We interpret the function F given in ( 1 ) as follows. 
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Proposition 2. Let f,g € t^n-i o,nd let F C f2^ be a funetion given by F = 
Then F is given by (1). 

This interpretation is more intuitive and allows us to generalize the construction 
procedure. The inequality \ An\ > \ An-i depends on generation oi F € An 
from f,g G An-i- Take any 2 functions / and g (not necessarily distinct) from 
An-i, and form a function F as given in Proposition 0 Then F G A„ and 
the construction process is a bijection, so there are at least | A„-i | x | A„-i | 
correlation immune functions in Here we consider generalizations of the 
construction procedure given in Proposition^. It has been proved in that the 
construction in PropositionlUyields correlation immune functions if both / and g 
are correlation immune. However, there are other possible ways of constructing 
F G An from correlation immune functions f,g G An-i- The following two 
propositions provide constructions which are similar to Proposition 0. 

Proposition 3. Let f,g G An-i and F = f'^g'^g^ f ■ Then F G An- 

Proof : We show that wd{F, Xi) — 0 for all i. For i < n — 2, wd{F, Xi) = 0 since 
f,g are CL Also, wd{F,Xj) = 0, for j = n — l,n, holds since wt(f^) = wt{f) 
and wt{g'^) = wt{g^). □ 

Proposition 4. Let f,g G An-i and wt{f) = wt{g). If F = fg = Pfg^g\ 
then F G A„. 

Different possibilities similar to Propositions 13, 0,0 are given in List 1. 

List 1 : If f,g G An-i, then F G An subject to the condition wt(f) = wt{g), 
except for items 4,6,10 and 12, where F G An without the weight condition. 
Thus we can choose F from any of the following 12 constructions. However, 
Proposition^ shows that all constructions of List 1 do not provide distinct sets. 

1) rfg^g^ 2) rfg^g^ 3) Pg^fg^ 4) Pg^g^f 5) Pg^fg^ 6) Pg^g^f 
7) fPg^g^ 8) fPg^g'^ 9) fg'^Pg^ 10) fg'^g^P 11) fg^Pg'^ 12) fg^g'^P 

Proposition 5. Let f be a correlation immune function and f = /“/^ Let g 
be such that g = = /^/“, Le. the top and bottom halves of the output string 

are interchanged. Then g is also correlation immune. 

Definition 2. (1) Pn = {Pg^g‘ f \f,gG A„_i}. (2) Qn = {Pfg'^g^ \f,gG 
An-i, wt{f) = wt{g)}. (3) Rn = iPg'^fg'- \ f,g G A„_ 1 , wt{f) = wt{g)}. 

According to Proposition^, in the List 1, items 4, 6, 10, 12 represent the same 
set Pm items 1, 2, 7, 8 represent the same set Qn, and items 3, 5, 9, 11 represent 
the same set R„. 

Consider F G Qn U i?„. Note that wt{F) = 0 mod 4. Now, if F G Pn, then 
wt{F) is either ’0 mod 4’ or ’2 mod 4’. For F G Pn, wt{F) = 2 mod 4 when 
exactly one of f,g is of weight ’2 mod 4’ and another is of weight ’0 mod 4’. 
Next we present results towards the enumeration of the sets 

Proposition 6. Pn G1 An, Qn G1 An, Rn G1 An and (^Pn U Qn C Rn^ CZ An, for 
n > 4. Consequently, | A„ | > | U U i?„ | + 2^" “ I ^"-2 I- 
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In the following we obtain a lower bound on | U U | . We can describe 
U U Rn as disjoint union of four sets. 

U Q„ U i?„ = U ((Q„ n Rn) - Pn) U {Qn ~ {Pn U Rn)) U (i?„ - {Pn U Q„)). 
Using PnU Qnl) Rn C for n > 4, I I > | Pn | + | (Qn n Rn) - Pn I + 
I Qn - (Pn U Rn) | + | P„ - (Pn U Qn) |- Now, | P„ | = | An-1 (sCe alsO fT^ ). 
We find lower bounds of the other three sets to further improve the lower bound 
on I An |. First we find functions which belong to {Qn H Rn) — Pn- We define the 
following sets for this purpose. 

Definition 3. Let wt{Si) = wt{S2) = wt{S3) = wt{S4). 

(1) Un = {S1S2S3S4 I Si e Pn-2,1 < f < 4 , and SiS2,S3SA,SiS3.,S2Si e 
An-u and SiSa,S2S3 G P„_i}. ( 2 ) K = {SS'^S^S \ S G Pn-2}. 

Lemma 5. Un = {Qn n Rn) - Pn- 

Lemma 6 . U„ C [7„. Also, | U„ | = | P „-2 | = 2^" ^ - | An-2 |- 
Lemma 7. V4 = P4 and Vn C Un, n > 5 . 

The above lemma provides that Un — Vn ^ (p for n > 5 . Next we define a few 
sets to find functions of Qn which do not belong to (Pn U Rn)- 

Definition 4. Let wt{Si) = wt{S2) = wt{S3) = wt{S4). 

(1) Ql = {SiS2S^Si I Si,S2 G Pn-2,^1^2 G An-1, ^3, ^4 G An-2} 

U{5'i5'25'35'4 I S' 3 , 5'4 G Bn-2, S3S4 G An- 1 , iFl, S '2 G An- 2 } 

(^) Qn ~ {S1S2S3S4 I Si G Pn-2, 1 < * < 4 , and S1S2, S3S4 G An-l, 
and SiS3,SiS4,S2S3,S2Si G Pn-ij- ( 3 ) Q° = U Q^. 

U) Qi = {SiSlS3S4,S3S4SiSl I 5i G Pn- 2 , 53,^4 G An- 2 }. 

Lemma 8 . (1)Q° = Qn ~ {Pn U P„), ( 2 ) Q\ = Q%, Ql C Qn for n> 5 , 

( 3 ) I Qi I = 2 Eri'”' Cl_^{ 2 r)Nn- 2 { 2 r). 

Lemma 9. ^ 4>, n > 4 . 

Enumeration of Ql is easy, since if we take any two Si, S2 G P2 of same weight 
with Pi yf S2 and Si ^ S2, we get both P1P2, P1P2 ^ ^3- However, the charac- 
terization for n > 5 is complicated. Next we find functions of Rn — {Pn U Qn)- 

Definition 5. Let wt{Si) = wt{S2) = wt{S3) = wt{S4). 

(1) Rl = {S1S2S3S4 I Pi, P3 G P„-2, P1P3 G A„-1, P2, P4 G A„-2} 

U{PiP 2 p 3 p 4 I p 2 ,p 4 G Bn-2, S2S4 G An-1, Pi, P3 G An-2} 

(2) R^ = {P1P2P3P4 I Pi G Pn-2 , 1 < j < 4 , and P1P3, P2P4 G An-i, 
and P1P2, P3P4, P2P3, S1S4 G Pn-i}. ( 3 ) P° = U Rl- 

U) Ri = {PiP3P[P4,P35iP 4P[ I Pi G Bn-2, S3, S4 G An- 2 }. 



Remark 2. Lemma[^and Lemma|3 proved for Q are also true for R. Thus from 
Lemma [3, Lemma |3 Lemma 0 we get the following theorem. 
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Theorem 3. j U U U U U for n > 4. 

(2) P^\J QiVJ Ri = Pa^VaVJ Q\VJ Q\VJ R\VJ R\. (3) For n > 5, 
\Ar,\>\Pn^Qr.^Ru\>\Pr.\ + \Un\ + \Ql\+\Ql\ + \Ri\ + \Rl\. 
Proof : It is easy to see that (1) and (3) holds. The proof of (2) holds since 
Q% = Qi and i?| = R\, similar to Lemma HI □ 

Remark 3. The above theorem suggests that exact enumeration of P„ U U i?„ 
for n > 4, is difficult using this kind of technique. It is clear from Lemma 13 
LemmaOand LemmaOthat the difficulty arises due to the problem of two NCI 
functions giving rise to a Cl function (see Remark EJ. 



Theorem 4. For n> 4, 

I >1 1^2(22"-^-! \)-{t~-^)+4Y.T=i~" Cl_^i‘^r) iV„_2(2r). 



Lemma 10. For n > 4 

Cf,_,{2r) N^.2{2r) >ET=i~^ 



CTT((C)-(r)). 



Corollary 1 . ^ Cl_2{2r) N„_2{2r) > 

The closed form lower bound in Lemma fTnl and Corollary D1 (though a very 
conservative estimate) clearly indicates that the lower bound of Theorem0is a 
significant improvement over the bound | A„_i | obtained in 



4 Upper Bound 

The upper bound on | | was provided in and it was later improved 

2«-2 _ 

to I I < ( j ) H- This was obtained by showing that C 

Kn = U| j \^Q{h929if2 I where / = /1/2, g = 5152, and / G Uj and g G 
r_2i}, where, Yj = {/ G C„_i | #(/ = X^-i) = #(/ ^ X^-i) and #(/ = 
Xn-2) — #(/ Xn-2) = 2 j}, I j I < 2”“^. The above condition is neces- 

sary for a function to be correlation immune. It has been shown in |2| that 
F = Pg'-g'^f G is Cl, iff wd{P f , Xri-i) = 0 ,wd{g'^g\ X^_i) = 0 and 
wd{f^ ,Xi) = —wd{g'^g^,Xi) for I < j < n — 2. However, the following charac- 
terization holds. 

Theorem 5. F = G is Cl, iff wd(f^ f'' , X^-i) = 0,wd(g'^g'‘ , 

Xn-i) = 0 and fori <i<n-2, wd(Pf,X,) = -wd{g^gfX,) = 0 mod 4. 

The equivalence to ’0 mod 4’ in the above theorem was proved for only i = 
n — 2 in p|. The upper bound in pj considered only three leftmost variables 
Xn, Xn- 1 , Xn -2 ln the truth table. One can get better necessary conditions by 
including variables Xi for i < n — 2. However, if we consider the leftmost four 
variables then the conditions become complicated. So here we take a different 
approach. We show that there are functions in Kn which are not correlation 
immune. A lower bound on the number of such functions provide a better upper 
bound on | A„ |. First we require the following two results. 
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Proposition 7 . Let F G be of the form F = F0F1F2F3F4F5F6F7. If k 
(0 < fc < 7 ) of the Fi ’s are Cl funetions and the other 8 — k Fi’s are equal to a 
NCI funetion, then F is NCI. 

Proposition 8 . Let f,g G with f = /1/2/3/4, and g = 5152^354, where 

wt{fi) = wt{g2) = ai, wt{f2) = wt{gi) = bi, wt^fs) = wt{gi) = 02, wt{f4) = 
= h, and oi + 61 = 02 + &2- Then F = /i/2ff3545i52/3/4 G K^. 

The above two Propositions together constitute a sufficient condition for a fun- 
ction / to belong to Kn — An- A lower bound on the number of such functions 
provides an improved upper bound on | A„ |. So the problem reduces to con- 
structing functions satisfying PropositionQ and PropositionQ. 

Theorem 6 . | A„ | < ') “ ELo il) T,l=o Cn-sHNn-sia). 

Proof : We consider functions of f 2„_3 of same weight. The conditions of Pro- 
position are satisfied if one chooses k functions from CIWn-3{a) and 1 
function from NC IWn-sia) , where k is as in PropositionQ. □ 

Remark 4 - We choose only one function from N C IWn-3{a) and repeat it in 
8 — k places instead of using 8 — k possibly different functions from NC IWn-3{a) . 
This is because concatenation of two different NCI functions may generate a Cl 
function (see also Remar ksQ,Q) . 

A more detailed analysis will provide a better upper bound. Depending on the 
value of k in PropositionQ several cases arise. For 0 < fc < 3 , if ai = 02 = 
61 = &2, then F G Kn — A„. For fc > 4 , the situation is more complicated. Let 
h = {fi,92}, h = {/2,5i}> h = {/3,54}, U = {fi,g3}- The k Cl functions are to 
be chosen from the sets Z27 ^3, Ia- Suppose we choose ki functions from /j, with 
^1 + ^2 + ^3 + ^4 = k. This imposes conditions on ci, 02, 62 for the resulting 

F to be in AT„ — A„. We omit the complicated analysis here due to lack of space. 

5 A„(l,2,3,4) 

Here we provide lower bounds for | A„(l, 2 , 3 , 4 ) |. In P enumeration of 
A„(I, 2 , 3 , 4 ) was reduced to that of A„(I, 4 ) using the principle of inclusion 
and exclusion. Thus the crucial task is to provide a lower bound on | A„(l, 4 ) |. 
However, a lower bound on | A„(l, 4 ) | does not immediately provide a lower 
bound on | A„(l, 2 , 3 , 4 ) | using inclusion and exclusion. TheoremQ provides an 
way out here. Moreover, the result shows (using TheoremQ, Theorem Q) the 
proportion of | A„(l, 2 , 3 , 4 ) | in | A„(l, 4 ) | is almost equal to 1 for large n. 
Initially we consider the following sets similar to Subsection[^l. 

( 1 ) = {F G fin \ wt{F) = 2 "“^, F is a palindrome }, 

( 2 ) Df = {S1SISIS2 I wt{S3) = wt{S2) = 2 "- 3 , and 81,82 G fin-2}, 

and ( 3 ) Df = {88'^8<^8 \ wt{8) fy 2 ^~^, 8 g fin-2,8 ^ S”'}. 

Theorem 7 . 

I A„( 1 , 4 ) I > + 2 ^ + - 2) - 2'^ -f ) ' 
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Theorem 8. 

I T„(l,2,3,4) I = I A„(l,3,4) I - 2 > I ^„(1,4) | - n | A„_i(l,4) | - 2. 
Mitchell 0 Page 164] had commented that enumeration of An{3, 4) is a nontrivial 
task. However, similar to Theorem 0 one can show | H„(3,4) | > | H„(4) |(1 — 
) and so the enumeration problem for H„(3, 4) is really that of H„(4). It is 
also interesting to see that all the functions of CIWn{2a), where a is odd, are 
nondegenerate. Now we use the techniques of Subsection Olto provide recursive 
construction procedures and obtain improved lower bounds for | H„(l,4) |. The 
technique provides new insights into the difficulty of enumerating such functions. 
Let us denote T“ = {/“ffV/' I / S C IWn-i{2a) , g € C/lT„_i(2”-i - 2a), 0 < 
a < 2"-2, a ^ 2"-3} and P“ = {/“5V/' I /,5 e H„_i(l,4)}. 

Proposition 9. (1) T^,P^ are mutually disjoint subsets o/H„(l,4). (2) P“ = 

I A„_i(l,4) 1^ (3) I I = for n > 4. 

Proof : Using Proposition El C A„(4). Also it is easy to check that 

C A„(l, 4) and n 

The proof of (2) is clear from the definition of P“. The proof of (3) is derived 
from Cn-i{2i) = C„_i(2"'“^ — 2i), since / G A„ iff /'^ S A„. □ 

Next we construct a few sets in the same way as in Subsection fn\ 

Vff = {SS^S^S I 5 G f2„_2 - A„_2(l,4),u;t(5) = 2—3} , 

Qlr = {SiS{S3Si,S3SiSiSl I G f?„_2 - A„_2(1,4),^3,54 G A„_2(1,4), 
and wt{Si) = wtiSs) = wt(S'4)| and = {S'iS'3S'}S'4, 5'3S'i545'} 

I 51 G 12„_2 - A„_2(1,4), 53, Si G A„_2(1,4), and wt{Si) = wt{S 3 ) = wt{Si)}. 

Proposition 10. (1) Tfj , Pfj ,Vff ,Q)f‘ , are mutually disjoint subsets of 

A„(l,4). (2) I U“ I = (^la) - I A„_2(1,4) I, 

(3) I I = I i?i“ I = 2 I A„_2(1,4) - I A„_2(1,4) |). 

Theorem 9. For n > 4, | A„(l, 4) | > | A„_i(l, 4) |^+ 

+ - I 4i„_2(l,4) I) (1 + 4 I A„_2(1,4) |^). 

Proof : The proof follows from Proposition Eland Proposition [El] □ 

Mitchell El Page 168] remarked that there is no obvious candidate for 
A„(l, 2, 3, 4, 5). Earlier, a similar conjecture was proposed by Chor et al in 0 
that balanced symmetric Boolean functions are all linear and it was disproved 
in 0 showing there exists n such that A„(l,2,4, 5) ^ 4>. We know that all the 
symmetric functions except the two identity functions 0 and 1 are nondegenerate. 
Hence, the counterexamples proposed in E]j being balanced, are all nondegene- 
rate. Thus the following theorem answers the question posed by Mitchell El- 

Theorem 10. There exists n such that A„(l, 2, 3, 4, 5) 4>. 

Here we reduce the enumeration problem of A„(l,2,3,4) to that of A„(l,4) 
and solve that satisfactorily. A more challenging task in this direction is to 
enumerate / G A„(l,2,3,4) having specified algebraic degree, nonlinearity and 
order of correlation immunity. Construction problem for such functions have 
been addressed in ii2iiiiiuiii/tn . 
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Appendix 

Al. Generating Function 

Let, gk{x) = Yja=o^k{a)x°^ and 

= Y.k>o9k{x)y^ = J2k>oT,l=o^k{a)x^y'^ . 

Also, hk{x) = J2l=o Nk{a)x°' and 

N{x) = J2k>o^k(x)y'’’ = NCI functions. 
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Proposition 11. ( 1 ) Ck{a) + Nk{a) = , ( 2 ) gk{x) + hk{x) = {1 + xY’’ and 

( 3 )C{x)+N{x) = j:,^,{l + xfy'^. 

Let p{x) = Yli>oPi^'‘ q{x) = X)i>o 9*^*- Define p{x) < q{x) if pi < qt for all 
i > 0 . Also define p[^l(a;) = 

Lemma 11. hn_i(x)gn_i(x) < hn(x) < (1 + x)^" -gj^^Y^)- 
Proof : From the Proposition G1 we get, X)r=o ~ — ^n{a) < 

^ — C^_i(|). Note that, if a is odd or = 2 mod 4 then C„_i(|) is zero. The 
result then follows from the fact that generating function for the convolution 
of two sequences is the product of the generating functions of the individual 
sequence. □ 

A2. Some Proofs of Subsection IHIll 

Proof of Lemma 0 

Proof : It can be checked that (1) holds. Now we prove (2). We choose an 
i such that 0 < z < 2"“^. So we can choose S'! in ^ ^ ways. Depending on 

the choice of S'!, we can choose £'2 in ~ 1) ways leaving out S'[, since 

S'! and S'2 need to be distinct. Hence, | \ = JY^=q 

Efco' (^" ') -Efco' (^V) = (2"-=) -2^""'- The proof of (3) is found by 
discarding the balanced functions and palindromic functions from fin-2- D 

A3. Some Proofs of Subsection 1.3.21 

Proof of Proposition El 

Proof : That Pn-,Qm Rn are proper subsets of A„ will be clear from the 
remaining part of the proof. Now we prove the last statement. Let S G Bn-2, 
and S is not balanced. It is easy to check that such functions exist for n > 2. 
Since, SS, G H„_i, SS'^S‘^S ^ (P„ U U i?„). However, it can be checked 
that is a function of the form Xn®g, where g £ iin-i and g is balanced. 

Thus, by Siegenthaler’s construction ^3, Section VI], SS‘^S ‘^3 G A„- 

The last statement holds since there are at least 2^ — “ I ^n-2 \ 

choices of unbalanced NCI functions S. □ 

Proof of Lemma 0 

Proof : Let F G Un- Then from Definitional F G Qn, F G i?„, F ^ Pn- 
Thus Un C {Qn (1 Rn) — Pn- On the other hand, let F G {Qn O Rn) — Pn- Now F 
can be written as S1S2S3S4, where iSi, S'21 'S'a, S'4 G fin-2- Since S'iS'2 G A„_i, 
either both S'!, S'2 G A„_2 or both 5i, S'2 G Bn-2 (using PropositionQ) . Similarly 
S'iS'3 G An-i forces either both 81,83 G A„_2 or both 81,83 G Bn-2- Since, 
8283 G Bn-i, both 82 and 83 can’t be in A„_2. So, both of them must be in 
Bn-2 and hence S\ is also in Bn-2 - Similarly it can be shown that 84 too belongs 
to Bn-2- Thus F G Un, which implies (Qn O i?„) — Pn f Un- □ 
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Proof of Lemma 

Proof : By Lemma 0 if / = g = S''S where S G Bn-2, then f,g € 
An-i- Thus it is easy to see that Vn C Qn and also C i?„. 

Let F & Vn and if possible F G Pn- As F G Pn, F is oi the form f'^g'^g^ f 
where f,g G An-i - However, F G V„, so F is of the form F = SS^S^'S, where S G 
Bn-2- Thus, / = /“/* = SS. Then by Proposition 0 (item 4 ), / ^ H„_i, which is 
a contradiction. Thus, we get = (j). and hence, Vn Q {Qni^Rn) — Pn = Un- 

To get I Vn I note that for S we can choose any function from Bn-2- □ 

Proof of Lemma m 

Proof : First we take n = 4 . If we try to build F G C/4, we have to start 
with Si G i?2 , 1 < / < 4 of same weight. For Si, Sj, i ^ j, we have, SiSj G B^ 
unless Si = S^. Hence S1S2S3S4 must be of the form SS'~S’"S. So, V4 = C/4. 

Consider the case for n = 5 . Let = 10000100 and S2 = 00010010 . Note 
that, both S'i,S'2 G B3. So, by item ( 4 ) of Proposition 0 , S'lS'i, S'25'2 G B4. 
However, it can be checked, S'iS'2 G A4. So, S1S2S2S1 G C/5. Also, y/ S'J. 
Thus, S'iS'2S'2>5'i ^ V5. Hence, V5 C C/5. 

For n > 5 , say n = 5 + k, k > 0 , take hi = S'lS'i ... Si, ( 2 ^ times) and /12 = 
S2S2 . . . S2, ( 2 ^ times). Thus, we have, hi,h2 G B^+k, hi yC h^ and hih2 G A4+k, 
which completes the proof. □ 

Proof of Lemma O 

Proof : Statement ( 1 ) can be proved in the same way as Lemma 0 and ( 2 ) 
can be proved similar to Lemma 0 Next we prove ( 3 ). Let us consider the form 
SiS[S3S4. Since any correlation immune function is of even weight, we only 
consider the even weight functions of 17 ^- 2 ■ Also, there is no function in Bn-2 
of weight 0 or 2 "“^. Thus we only consider the functions of Qn-2 of weight 2 r, 
where r varies from 1 to 2 "“^ — 1 . Now S3 and S4 can be any two correlation 
immune function, and so can be chosen in C^_2(2r) ways, whereas Si can be 

chosen in A^„_2(2r) ways. Thus we get the choice of X)r=i C'„_2(2r) A^„_2(2r) 
functions. Now, the functions of the form SiS[S3S4 and S^S4SiSi are distinct, 
since the first one starts with a function from Bn-2 whereas the second one 
starts with a function from A„_2. Thus, we get the cardinality of Qn- □ 

Proof of Lemma 

Proof : Consider F = S1SIS2S2, where Si,S2 G Bn-2, wt{Si) = wt{S2), 
and both SiS2,SiS2 G Bn-i- Thus, F ^ {Pn U i?„). Also F ^ since all 
Si, S]", S2, S2 G Bn-2- Now, we have to show the existence of such Si, S2 G Bn-2- 
Consider, wt{Si) = wt{S2) = 1 , Si is of the form 1000 ... 0 and S2 is of the form 
0100 ... 0 . Let S1S2, S1S2 be functions of input variables Xi, , A„_i. Then 
#(SiS2 = 1 I A„_2 = 0 ) = 2 and #(SiS2 = 1 | A„_2 = 1 ) = 0 . Thus by 
Lemma 0 Prob{SiS2 = Xn-2) yf Also, ^{SiS^ = 1 | Ai = 0 ) = 2 and 
#(SiS2 = 1 I Ai = 1 ) = 0 . Thus by Lemma 0 Prob{SiS2 = Xi) y/ /. Hence, 
both SiS2,SiS2 G Bn-l- □ 
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Proof of Theorem |1| 

Proof : Using Lemma 0, Theorem 0 and Remark [3, | Pn U Qn U | > 

I A„_i 1^2^" "-| A „-2 |+4X]r=i C'n-2(2f’)^n-2(2r). iFrom Proposition^ 

Mn I > I Pn U U I + 22””' - - I An-2 \- □ 

Proof of Lemma Ea 

Proof : C'„_2(2r) + iVji_2(2r) = ^ constant for fixed r, 1 < r < 

2"-3 _ I Now, C^_ 2 ( 2 r) Nn-2{2r) is increasing in 0 < C'„_ 2 ( 2 r) < |(^^ 2 r )■ 
Also, ( 27 ) < C„_2(2r) < i(C)- 
So, C^2(2 c) Nn-2{2r) > (^7)' - ( 27 ^)). Thus, 

Eri'”'C^L2(2r)iV„_2(2r) > 

Proof of Corollary^ 

( 2«-2 \ / \ 2 

2„-3j7„-4j > 8 3 ^ , 

by using Stirling’s approximation k\ = '/2'Kk (f)^- 

A4. Some Proofs of Section [HI 

Proof of Theorem m 

Proof : It can be checked that D^,D'^,D^ are mutually disjoint subsets 

of cnr„(2“-‘). Now, I I = i i = - 1), and 

n? I = 2 """ (2 “"" -(s;:)). □ 

Proof of Theorem El 

Proof : The equality comes from existence of only two affine functions in 
d4„(l,3,4). The inequality comes from the fact that there are at most 
n I 24 „_i( 1,4) I degenerate functions in A„(l,4). □ 
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Abstract. We use combinatorial methods and permutation groups to 
classify homogeneous boolean functions. The property of symmetry of 
a boolean function limits the size of the function’s class. We exhausti- 
vely searched for all boolean functions on 14- We found two interesting 
classes of degree 3 homogeneous boolean functions: the first class is de- 
gree 3 homogeneous bent boolean functions; and the second is degree 3 
homogeneous balanced boolean functions. Both the bent and balanced 
functions discovered have nice algebraic and combinatorial structures. 
We note that some structures can be extended to a large boolean space. 
The application of homogeneous boolean functions for fast implementa- 
tion on parallel architectures is mooted. 

Keywords: S-box Theory, Cryptographically Strong Boolean Functions, 
Symmetric Functions, Homogeneous Functions. 



1 Introduction 

The S-box theory emerged quite recently as a part of Cryptology. Shannon 0 
established its foundations by formulating the principles for secure product ci- 
pher design. To get secure encryption algorithms, it is enough to design two 
elementary blocks: a permutation block (or P-box) and a substitution block (or 
S-box). P-boxes provide diffusion while S-boxes furnish confusion. Encryption 
algorithms, according to Shannon’s concepts, are nothing but a sequence of ite- 
rations. Each iteration uses a layer of S-boxes controlled by a secret key. Between 
two consecutive iterations, a single P-box of known structure is used (the P-box 
is not keyed). 

Shannon’s product cipher is easy to implement. If we select building blocks 
at random (so both P-boxes and S-boxes are random), we can still get with a 
high probability a strong cipher provided we use “a large enough” number of 
iterations [0. The real challenge in the S-box theory is how to design S-boxes so 
we can reduce the number of iterations without loss of security. Boolean functions 
are universal tools for S-box design and have received considerable attention over 
the last decade 00. The cryptographic usefulness of a given boolean function 
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is measured by its cryptographic properties. The collection of these properties 
includes balance, strict avalanche criterion or SAC, high nonlinearity mm and 
higher-degree propagation criteria 0. If an S-box (or corresponding collection 
of boolean functions) is implemented as a lookup table, then the length or the 
form of boolean functions is not important. This is no longer true when the 
evaluation of the function is done on the fly - this is the case in all MD-type 
hashing algorithms (MD4, MD5, SHA-1, HAVALl lfibl . It was argued in that 
symmetric boolean functions can be very efficiently evaluated. Since symmetric 
boolean functions are composed by a series of homogeneous parts in a boolean 
space, we study the symmetric properties of boolean functions starting from 
homogeneous boolean functions. 

This work studies homogeneous boolean functions which create subclass of 
symmetric functions whose terms (in the algebraic normal form) are of the same 
degree. In particular, we examine symmetric properties of 3-homogeneous bent 
functions and highly nonlinear balanced ones in Vq. 

2 Boolean Functions and Permutation Groups 

We first introduce necessary notations. The n-dimension boolean space Vn con- 
tains the following 2" vectors (binary sequences with length n) 

ao = (0,---,0,0),ai = (0, • • • , 0, 1), • • • , 02n_i = (1,---,1,1). (1) 

Let a = (ai, • • • ,a„), at G GF(2), be a vector in Vn- Then a single term of a 
boolean function on a boolean space Vn is written as . In general, 

a boolean function can be represented by its algebraic normal form as 

/(^) = ® Ca = 0 or 1. (2) 

The values of a function form a binary sequence of the length 2". For a binary 
sequence wt{^) denotes its Hamming weight which equals the number of Is 
in the sequence. A function, /(x), is called a d-homogeneous if all a G V„ in the 
function 0 have the same Hamming weight and equal to d {wt(a) = d). 

Let Sn denote a permutation group with n entries and e the unit element 
of Sn- The the order of the group is n!. The minimum number of generators of 
Sn is n — 1. For example, the generators can be (1 n), (1 n — 1), • • • , (12). 
The highest order of the elements of is n. We use the traditional definition 
of writing tt = {i j ■ ■ ■ k) for the permutation 




Definition 1. Let tt be an element of the permutation group Sn- Assume that 
permutations from Sn are used to permute n variables of a boolean function- So 
for a permutation tt = (ij) G Sn, we can write that 

na= (fj)(ai,---,aj---,aj, •••,a„) = (oi, • • • , a^- • • • , o^, • • • , a„). (4) 



28 



C. Qu, J. Seberry, and J. Pieprzyk 



We say that a permutation tt € Sn acts on a boolean function f{x) if it permutes 
the function’s variables, i.e. 

TTf{x) = 7t ^ CaX°‘ = ^ ^ Cpx^ (5) 

Oc^Vn TTCXGVn /^GVn 



where na = (3. 

The permutation is a 1-1 transformation for a function f(x). Under the all 
permutations in S'„, a function f{x) generates a function set {tt/ | tt G ^n}. For 
each boolean function f{x), there exists a minimum subset, denoted by VG{f), 
of Sn such that {tt/ | tt G VG{f)} = {tt/ | tt G S'„}. 

Lemma 1. Let tt be an element of the permutation group Sn, and Trf{x) = g{x). 
Then 

1. all the functions, Trf{x) (tt G Sn), have the same cryptographic properties 
such as Hamming weight, nonlinearity and SAC^; 

2. the set {Trf{x) \ tt G S'„} forms a group if ef{x) = f{x) (e the unit of Sn) is 
the unite of the set and the group operation “o” is defined as follows 

[TTif{x)] O [TTjfix)] = {TTiTTj)f{x) = TTkf{x), (6) 

where o stands for composition of functions or permutations and all TTj, TTj,TTk 6 
VG{f). The group is denoted by PG{f). 

The group operation “o” on PG{f) is not the operation in S'„. The equality 

i'^i'^j)f(x) = TTkfix) ( 7 ) 

does not ensure that TTiiTj is equal to TTfc except iTiiTj G VG{f). For example, 
suppose TTiTTj = TTfeTT^ and 7r^/(a;) = f{x). Then we get the above equality and 
TTiTTj ^ TTk except 7T^ = e. 

Proof. Consider the following two parts of the proof. 

1. Since the permutation is a linear 1-1 variable transformation, it preserves all 
the properties of the function f{x). 

2. To be a group, the set with the operation o must satisfy the following condi- 
tions: (i) the unit element must exist; (ii) each element must have the inverse 
in the set and the left inverse is equal to the right inverse; (Hi) the associa- 
tive rule must hold for the operation; (vi) the set must be closed under the 
operation. 

The unit element of the set is the function itself f{x). Let 7Tif{x) be an 
element of the set. Then the element has its inverse TTjf{x), such as ttj = tt~^, 
in the set, since 

[■^fix)]o[7T-^f{x)] = [TT-^f{x)]o[TTf{x)]= f{x). (8) 

^ For the cryptographic desirable properties of boolean functions, see paper m E3 

tizi EH 



On the Symmetric Property of Homogeneous Boolean Functions 



29 



According to the definition of group operation, 

[TTifix) O TTjf{x)] O TTkfix) = TTif{x) O [TTjf{x) O TTkfix)] (9) 

is true. Hence the associative rule holds. The set, {nf{x) \ Vtt G contains 
all different boolean functions generated by permutations in 5'„. Therefore, 
the set is closed. So we have proved that the set, {Trf{x) \ tt G S'n}, with 
composition o is a group. 

The group PG{f) is a homomorphism to symmetric group 5'„. Consider a 
relation between the groups PG{f) and There exists subgroups of 5'„, say 
H{f), such that TTif{x) = f{x) for some tt^ G 5'„. For any given boolean function 
f{x) on Vn, there is at least one subgroup H{f) of Sn which is the subgroup 
containing the unit element {e}. By convention, for a given boolean function 
/(x) we denote H{f) is the biggest subgroup of Sn- Since PG{f) = VG{f)f{x), 
then 

= i?(/) + 7Tli?(/) + 7T2i?(/) + • • • TT,&PG{f) (10) 

where “+” denotes the union of sets. Equation PI is true, since all the inters- 
ection sets, TTiH{f) r\TTjH{f), where Tri,^^ G PG{f), are empty. Therefore the 
order of the group H{f) is \H{f)\ = n\/\PG{f)\. 

For a boolean space Vn, there are 2^ different boolean functions and the 
size of the permutation group is n\. Since 2^ ^ n\, it is impossible to discuss 
all PG{f). However, we can use the permutation group to discuss homogeneous 
boolean functions in which some of them have nice combinatorial structures. The 
study of the group H{f) is more important than the group PG{f). For example, 
the function /(x) = Xi has the group H(f) with order (n — 1 )! and /(x) = xtXj 
has the group H{f) with order 2 (n — 2 )!. 

Throughout the paper, the boolean function containing all terms of degree 
d over Vn is denoted by P^\x). Clearly the group H{Pif^) = Sn- For the sake 
of simplicity, we use the natural numbers to encode the terms. For example, 123 
stands for X 1 X 2 X 3 . Thus a function 



/(x) = X1X2X3 © X1X2X4 © X1X2X5 © X1X2X6 © X1X3X4 © X1X3X5 © 
X1X4X6 © X1X5X6 © X2X3X4 © X2X3X6 © X2X4X5 © X2X5X6 © 
X3X4X5 © X3X4X6 © X3X5X6 © X4X5X6 



can be equivalently represented as 

/(x) = P^\x) © X1X3X6 © X1X4X5 © X2X3X5 © X2X4X6 (11) 



/(x) = 123 © 124 © 125 © 126 © 134 © 135 © 146 © 156 © 
234 © 236 © 245 © 256 © 345 © 346 © 356 © 456. 

= (^) ® 136 © 145 © 235 © 246. 



or 
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Combinatorial parameters are useful to discuss homogeneous boolean func- 
tions allowing easy determination of in-equivalence. We take each single term as 
a block so that x\X2X3 is the block 123. 

We will use the concept of BIBD EZl- BIBD stands for balanced incomplete 
block design which is a block design within v varieties and has parameters k 
the number of varieties in block, (3 the number of blocks in the design and 
ri , • • • , Ti/ the numbers of repetitions of varieties respectively. Sometimes we use 
the parameters Ai,A 2 ,--- to stand for the numbers of repetitions of pairs in 
the block design. Let v stand for the space dimension, k for the order of the 
function, j3 for the number of terms in the function and let ri , • • • , be the 
numbers of repetitions for variables Xi, . . . , x^ in the function, respectively. Then 
the structure of a d-homogeneous boolean function can be considered as a BIBD 
with parameters {v, k, /3, ri, • • • , rj/}. 

Lemma 2. Let f be a homogeneous boolean funetion on Vn- If the element (ij) € 
Sn belongs to the group H(f), the repetitions of Xt and Xj must be equal i.e. 

D = Tj. 

Proof. By contradiction. Suppose ^ rj, then {ij)f{x) ^ f{x). Then we have 
(ij) ^ H{f) which is a contradiction. 

3 3-Homogeneous Boolean Functions 

We conducted an exhaustive computer search of all 3-homogeneous function on 
Vq and found the complete set of bent0 and balanced 3-homogeneous boolean 
functions which exist on Vq. These are used as the basis on which we discuss 
3-homogeneous boolean functions. 

Definition 2. Let f{x) be a d-homogeneous boolean funetion on Vn- Then the 
homogeneous eomplement of f{x) is defined by 

U(x) = PW © fix) (12) 

It is clear that a given homogeneous function f(x) can be equivalently repre- 
sented by the terms it contains (i.e. the function fix)) or the terms it does 
not contain (i.e. the function fdx)). The function fdx) preserves all symmetric 
properties of the function fix). We use the shorter, fix) or fdx), representation. 

3.1 3-Homogeneous Bent Functions 

We know that the function 

fix) = 124 © 125 © 126 © 134 © 135 © 136 © 146 © 156 © 

234 © 235 © 236 © 245 © 256 © 345 © 346 © 456 
= P^^Hx) © 123 © 145 © 246 © 356 = P^^\x) © fdx) 

For the definition of bent function see the papers, for example, 0, 0- 
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is bent on Vq, where fc(x) is the homogeneous complement of f{x), 

/c(x) = 123 © 145 © 246 © 356 = P^{x) © f{x) (13) 

The function fc{x) can be seen as a combinatorial design with parameters as 
follows, 

{v,K,(3,n,r2,r3,r4,r5,rQ} = { 6 , 3, 4, 2, 2, 2, 2, 2, 2}. (14) 

This is a BIBD(t>, b, k, r, A) = BIBD(4, 6 , 3, 2, 1) in which the parameters v = f3, 
b = V, k = K. The group H{f) is generated by the elements (12)(56), (13)(46) 
and (24) (35). The elements (12), (13), (14) are 3 generators of S' 4 . If we take the 
mapping 

(12) o (12)(56), (13) o (13)(46), (14) o (24)(35), (15) 

we find that i^(/) is isomorphic with S' 4 , i.e. H{f) ~ S 4 . Hence the order of 
PG{f) = 6!/4! = 30, which means that there are only 30 bent functions of this 
kind on Vq. Let Z 2 = {e, (16)(34)}, = {e, (16)(25)} and 

S' = {e, (12)(56), (13)(46), (23)(45), (123)(465), (132)(456)}. 



Then the group can be expressed as 

H{f) = Z 2 X Z' X S'. (16) 

There are many ways to represent the groups H(f) and PG{f). The explicit 
forms of the two groups are as follows. 

'e, (12)(56), (13)(46), (14)(36), ' 

(15)(26), (23)(45), (24)(35), (16)(34), 

I (16)(25), (34)(25), (25)(1364), (25)(1463), I 

I (34)(1562), (34)(1265), (16)(2453), (16)(2354), [ 

(123)(465), (132)(456), (124)(365), (142)(356), 

^ (263)(145), (154)(236), (135)(264), (153)(246) 

7, (45)/, (56)/, (465)/, 

(456)/, (46)/, (34)/, (345)/, 

(34)(56)/, (3465)/, (3456)/, (346)/, 

1(354)/, (35)/, (3564)/, (35)(46)/, 

(356)/, (3546)/, (3654)/, (365)/, 

(364)/, (3645)/, (36)/, (36)(45)/, 

(26)(35)/, (26)(354)/, (26)(345)/, (26)(34)/, 

^ (25)(45)/, (26)/. 

For any bent function on its nonlinearity is 

iV/ = 2”"^ -2^"^ (19) 




So on Hg, Nf = 28. 
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3.2 3-Homogeneous Balanced Functions 

We found two classes of balanced functions on Vg. One class contains functions 
with 14 terms. The other class includes functions with 15 terms. All the boolean 
functions in the two classes have the nonlinearity Nf = 24. Comparing with 
other balanced boolean functions, it is not lower (for bent Nf = 28). There exist 
more classes of homogeneous balanced boolean functions on the boolean space 
with n > 6. The maximum nonlinearities are 52 on (maximum for all boolean 
functions is 56) and 112 on V% (for bent function, it is 128). 

(A) A 14-term 3-homogeneous boolean function 

f{x) = Pf ) © 126 © 136 © 145 © 234 © 235 © 456 (20) 

is balanced and its complement fc{x) can be characterised by its combina- 
torial parameters, 

{© K, (3, ri, T2, ra, ra, rg, rg} = {6, 3, 6, 3, 3, 3, 3, 3, 3} (21) 

which is also a BIBD(u, &, /c, Ai, A2) = BIBD(6, 6, 3, 2, 1). Under the permu- 
tation operations {(16), (23), (45)}, the function / does not change. Also, 
the set of permutations 

1(124635), (125634), (134625), (135624)} (22) 

leaves the function unchanged. The set 

e, (16), (23), (45), 

(16)(23), (16)(45), (23)(45), (16)(23)(45), 

(124635), (125634), (134625), (135624), 

(124)(356), (125)(346), (134)(256), (135)(246), 

(142)(365), (152)(364), (153)(264), (143)(265), 

(153642), (143652), (152643), (142653) 

forms a group H{f). We point out that the group H{f) is not isomorphic to 
the symmetric group S'4, since does not contain any element of order 6. 
The group H{f) is isomorphic to the group 

A n Cl n C2 n C3 n C4 (24) 

where A = Z2 x Z2 x Z2 is an Abelian group, and Ci,C2,Ca,C4 are four 
cyclic groups of order 6 which are generated by elements 

(124635), (125634), (134625), (135624), 

respectively. 

The balanced function f{x) can also be expressed as 

5 

f{x) = Pq^\x) © ^7r'‘(a;ia:2a;g) 
h—Q 




(25) 
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where tt is an element of order 6 in H(f). Since the order of the group is 24, 
we have 

im/)l = ^ = § = 30, (26) 

which says that there are 30 3-homogeneous balanced functions with exactly 
14 terms only. 

(B) A representative of the balanced 3-homogeneous boolean functions with 15 
terms 

/ q'\ 

f{x) = Pg '(a;) © a;iX4a:6 © x\x^Xq © X 2 X 3 X 5 © a;2a;4a:5 © a; 3 a; 4 a ;5 
= P^{x) © 146 © 156 © 235 © 245 © 345. 

is invariant under the permutation operations {e, (16), (23), (16)(23)}. The- 
refore, H{f) = {e, (16), (23), (16)(23)} and PG{f) has order 180. Among all 
15-term 3-homogeneous boolean functions, there are 4 functions with the 
same symmetry. We can see the functions 

fci{x) = 146 + 156 + 235 + 245 + 345 

/^2 (x) = 146 + 156 + 234 + 245 + 345 , . 

/c3 (a:) = 145 + 146 + 234 + 235 + 456 

fc 4 (x) = 145 + 156 + 234 + 235 + 456 

share the same symmetry under the subgroup 

P(/) = {e,(16),(23),(16)(23)}. 

The four functions also have the relations 

Mx) = (45)/2 = (12)(36)/3(a:) = (12)(36)(45)/4(x). (28) 

The combinatorial parameters of the complementary function of the function 
are 

{+ K, /3, ri, T 2 , T 3 , T 4 , rs, rg} = {6, 3, 5, 2, 2, 2, 3, 4, 2}. (29) 

4 Discussion 

Let Vm and Vn be two boolean spaces. If m < n, then Vm is a subspace of 
Ki, {Vm CVn). If a, function is balanced on Vm, the function is balanced on Vn- 
For n < 5, there is no 3-homogeneous boolean function which is either balanced 
or bent. The above discussion can be directly extended to the boolean spaces 
V^n 3-homogeneous balanced boolean functions may exist in any boolean 
space Vn (n > 5). For example. 



X1X2X3 © X1X2X4 © X1X2X5 © xiX2Xq © xiX2Xr © a;ij; 3 a :4 © X1X3X5 © 
a;ia; 3 a ;6 © XlX3X^ © X1X4X5 © xiX4Xe © xiX4Xr © a;ia; 5 a ;6 © X2X3X4 © 
X2X3X3 © X2X3XQ © X2X3Xr © X2X4X3 © X2X4XQ © X2X5X7 © X2XQX-J © 
X3X4X^ © X3X3X^ © X3XQXY © a;4a:5a;g © X4X3X~j © X4XeX'j © x^x^xj 
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is a balanced on V-j and 

X\XiXz © X1X2X4 © X\XiX^ © X1X2XQ © X\X 2 X’j © X1X2XS, © XiX^Xii © 
X\X^X 5 © XiX^Xq © XiX^X 7 © XiX^X^ © 0:1X40:5 © X1X4X6 © X1X4X7 © 
X1X4X8 © X1X5X7 © X1X5X8 © X1X6X7 © X1X6X8 © X2X3X5 © X2X3X6 © 
X2X3X7 © X2X3XS © X2X4X5 © X2X4X7 © X2XQX3 © X2X7X8 © X3X4X5 © 
X3X4X7 © X3X3XQ © X3X5X7 © X3X3X3 © X3X7X8 © X4X3X3 © X4X6X8 © 
X4X7XS © X3XQX7 © X3XQX3 © X5X7X8 © X6X7X8 

on Vs- So far, we have not found any 3-homogeneous bent functions in Vs or Vio- 
Since the functions we discuss are homogeneous, every single term in a function 
has the same properties on the boolean space. Therefore, the repetitions of varia- 
bles and pairs of variables directly affect the properties of the boolean function. 
Further study will be undertaken to try to construct boolean functions that sa- 
tisfy the cryptographic desirable properties through the study of repetitions of 
variables and pairs. 
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Abstract. Limiting escrow activity in time has been an important re- 
quirement for key escrow systems. Recently two protocols were proposed 
for limited time span key escrow and contract bidding. We investigate 
the proposed protocols, bring out certain issues that were neglected in 
the proposal and amend it in a manner that these issues will be de- 
alt with. Our proposal does not require tamper proofness for security 
of the system and assumes minimal trust in the trustees of the system 
to achieve a more robust scheme. The importance of publicly verifiable 
proofs is highlighted in this paper. 



1 Introduction 

The fundamental concept behind key escrow proposals is to protect confidentia- 
lity of the honest citizen and revoke it from the dishonest citizen. While many 
schemes can be devised to grant or revoke the confidentiality service for selected 
users (citizens), the judgment whether a citizen is honest or dishonest can only 
be reached with human involvement. This seems to be one of the weak links 
in any escrow system. A person in the government might be honest when the 
government is in control, but when another government takes over (possibly by 
a coup) the same person may viewed as dishonest. This is applicable for all citi- 
zens, even for government officials who might eontrol the escrow system. For any 
escrow system to be complete it should (at least partially) counter this problem. 

The main problem related to this phenomenon is decryption (using the es- 
crow mechanism) of ciphertexts that were intercepted in the past. The Clipper 
proposal suffered from this weakness. In the proposal, when the law enfor- 
cement agency (LEA) obtains a single court order it can decrypt past, present 
and future communications from/to the target without any form of restraint. 

Limiting escrow activity in time is essential for escrow systems (blYj . Many 
proposals relied on tamper-proof hardware (or software) to accomplish this re- 
quirement. Reliance on tamper-proofness, especially in software, is difficult and 
will affect scalability of the implementation. Many proposals 0 relied only on 
certification procedures to accomplish the goal of the protocol. The discussion 
in this paper is on such schemes. 
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A similar but contrasting problem is in contract bidding schemes. In these 
schemes the bidder (citizen) needs protection from an organisation (government). 
The requirement is that the organisation must not be able to decrypt the ci- 
phertext containing the bid before a certain time. This can be viewed as a future 
problem. In the threat model of this problem; 

1. if full eontrol to decrypt the bid is granted to the bidder, he/she may refrain 
from decrypting the bid (due to unfavourable conditions). This could result 
in loss for the organisation. 

2. if full control to decrypt the bid is granted to the organisation, it could 
decrypt the bid well in advance. 

In this discussion, we concentrate on the schemes proposed by Burmester et 
al 0 for a private key escrow scheme and a contract bidding scheme, both of 
which aimed to achieve the time limiting property without relying on tamper- 
proofness. A multi-party protocol 0 that required the citizen, LEA and all 
trustees to be available during the set-up phase was used. We present a modified 
scheme that does not require the trustees to be on-line during the registration 
phase and greatly improves the robustness by using publicly verifiable encryp- 
tion. This approach will result in a more robust system in which trust on the 
trustees is minimal. 

Section El discusses the limited time span escrow solution proposed in 0 and 
its drawbacks, and section 01 presents amendments to their scheme. Section 0 
presents an efficient contract bidding scheme based on verifiable partial key 
escrow [,311 1 )] . Section Qcontains the conclusion of this paper. 

2 Time Controlled Key Escrow 

Burmester et al 01 proposed a key escrow system that was claimed to limit 
the time span of wiretapping. The driving argument in the paper was that the 
trustees could be compromised at some point of time. It was assumed that at 
least a minimum number of the trustees will be honest in erasing the old share 
of the private key after computing the new share from the old share. We point 
out that the argument that the trustees could be compromised, may result in 
severe repercussions on the trust model of the system. The actual duties for 
which the trustees are trusted was not clearly mentioned in their paper. These 
reasons directly contribute to an attack on the system when a citizen (possibly 
an influential government officer) conspires with at least a minimum number of 
the trustees, to avoid escrow and still get his/her public key certified. In the 
Lout-of-^ model that was detailed in 0, the minimum number is one. 

According to their scheme, citizens can periodically update the private keys 
and at the same instance the trustees can simultaneously update the respective 
shares. Also, if at least one of the trustees erases its old share, then it will be 
difficult to compute the old private key from the existing shares. Only the new 
private key can be reconstructed. This property is achieved using a homomor- 
phic, one-way function. Let / be an one-way function, s the private key and Si 
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be the share for trustee i. When s = Usi, f{s) = f{Usi) = Uf(si), f is said 
to be homomorphic. In 0 squaring in a composite modulus was used to realise 
/, thus f{x) = mod n, where n is a composite number whose factorisation 
is unknown. Proof of the Difhe-Hellman relationship, DH{g^^ , was 

used in to generate proofs for correctness of the shares generated by the citi- 
zens. We use this proof in the off-line mode for our scheme. This can be achieved 
using the standard hashing approach to generate challenges. A brief description 
of the key escrow proposal by Burmester et al. 0 is presented in appendix E 
The following section uses terminologies from the appendix. 



2.1 Protocol Failures 

The underlying assumption for the development of this scheme was that the 
trustees could be compromised at some instance of time, but the protocols for 
the three phases assumed complete trust in the trustees. We argue that these 
contradictory assumptions in the design of the system are serious flaws. Moreo- 
ver, it is very difficult to place complete trust in any entity in practice. Secure 
systems should place minimal trust in necessary parties in a protocol and ex- 
plicitly mention the assumptions on trust relationships. In this paper, we focus 
on the type of attacks that allow a citizen to by-pass escrow by conspiring with 
some of the trustees, and still use the system in such a way that the identity of 
the conspiring trustees cannot be found. There are three potential break-points 
in the system that could be focuses of such an attack, which are; 

1. In the set-up (or registration) phase the LEA has to unconditionally trust 

the trustees to report fraud against the user when they do not receive the 
discrete logarithm of {zi\i = the user published in the bulletin 

board. An attack could allow the user to give a wrong share to the trustee 
and still get his/her public key certified. No mechanism was proposed that 
would allow any neutral party to detect this fault. 

2. In the up-date phase there is no publicly verifiable proof that the trustee 
will update the shares as prescribed by the protocol. The protocol relied on 
an implicit trust in the trustee for this update. We note that the only trust 
on the trustees that was explicitly mentioned in 0 was the deletion of old 
shares after computing new shares. 

3. In the key recovery phase there is no publicly verifiable proof that will gua- 
rantee that the trustee will use the correct value of its share {si|i = l,---,Z}. 
Some of the trustees could use a wrong value of the share that will prevent 
legal access to the plaintext and be unidentified. 

3 Fault Detectable Equitable Key Escrow System 

We propose extensions to the scheme proposed by Burmester et al j^] that will 
render a system concording with the primary assumption, namely, some trustees 
are compromisahle but a threshold of them are assumed to be honest to erase old 
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shares /keys after computing new shares /keys. No other trust is placed on the 
trustees. We use publicly verifiable proofs so that any number of neutral entities 
can check the correctness of operation of the system and detect malicious parties. 
To achieve this, we use the verifiable encryption scheme proposed by Asokan et 
al. Due to this mechanism our scheme does not require the existance of 
secure channels between citizens and trustees as in 0. This property improves 
the robustness of the escrow system. Since our proposal is an extension of the 
scheme proposed by Burmester et al |^, our scheme inherits all its security 
properties. 

3.1 Background 

In this section the protocols used for publicly verifiable encryption and proof of 
equality of discrete logarithm will be explained. The protocols will be specified 
as functions so as to improve clarity in subsequent sections. 

1. Publicly Verifiable Encryption: Using publicly verifiable encryption Alice can 
send a message m encrypted under Bob’s public key yi, as C and at the same 
time prove to a third party Carol that the message encrypted in C is the pre- 
image of 0{m) without revealing m, where O is a one-way function. We adopt 
the verifiable encryption scheme proposed by Asokan et al The merit of this 
scheme is that the encryption technique is essentially independent of the proof 
mechanism, which is not the case in the scheme proposed by Stabler to achieve 
publicly verifiable secret sharing H2]. It is worth noting that the scheme in JQ 
can be used in to achieve a more generic mechanism for publicly verifiable 
secret sharing. We present an off-line version of the verifiable encryption scheme 
in the form of functions, to improve clarity of discussion. The reader is refered 
to m for a complete discussion on this scheme. A brief description and pseudo- 
codes for the functions for the off-line verfiable encryption scheme are presented 
in appendix m Subsequent discussions will heavily borrow the terminologies 
presented in appendix m 

2. Proof of Equality of Discrete Logarithm: Let p be a large prime. When 
y = mod p and z = mod p, proof of equality of discrete logarithms allows 
the prover to prove that log^p = log^z mod p without revealing x. There are in- 
teractive, zero-knowledge and non-interactive protocols to achieve this proof. We 
will use a non-interactive version 0 to improve on communication overheads. 
The function definitions for the generation and verification such proofs are pre- 
sented in appendix o Subsequent discussions will borrow terminologies from 
appendix O 

3.2 System Settings 

System settings are essentially similar to that proposed in 0 except for certain 
additions to the existing parameters. The LEA is trusted to execute the pre- 
scribed protocols faithfully. The LEA sets up a public key infrastructure that 
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can be used only for securely communicating with the trustees. The public keys 
{yi\i = 1, •••,?} (corresponding to the private keys {xi\i = are cer- 

tified and registered in a public directory. At least a minimum number of the 
trustees are trusted to change their public-private key pair periodically, publish 
the new public key and erase the previous private key. This is essential to avoid 
decryption of the encrypted shares sent to the trustees using their public keys 
at an arbitrary point of time. 



3.3 Set-Up Phase 

Citizen j generates a large prime number pj such that pj = 2pjipj2 + l, where pj\ 
and Pj 2 are large primes. Also, pji = Pj 2 = 3 mod 4, so that —1 is a quadratic 
non-residue in the fields Zp.^ and Zp.^. Let rij = Pj\Pj 2 - The citizen then chooses 
Qj G Zp. that is a generator of Zp^ and its private key Xj Gr Z„^. He/she then 
computes the public key as yj = mod pj. The public data will be {gj,yj,pj}. 
The private data will be {xj,pji,pj 2 }- The citizen and the LEA engage in a 
protocol that has the following steps; 

1. Citizen: Computes the shares for the trustees as Xj = (mod pj — 1) 

and performs verifiable encryption of the shares as, {VerEnc with input 
(si,g,p,yi) and output(ci, A,Pii, • • • iPsOi) = 1, Sends 
{ci,Di,Pi.,-- • ,Ps 0 il* = 1, - • • ,/} to the LEA. 

2. LEA: Checks the proofs of verifiable encryption as {Check VerEnc with input 
{ci,p, g, Di, Pl^, • • • , PgOi) and output (c/iecfej)|i = 1, • • • , Z}. If any of the checki 
is FAIL then signals error message to the citizen and terminates the proto- 
col. 

3. Citizen: Sends 2 : 1 ,. ..,i = and the proofs of 21 ,. ..,i = Di) 

for i = 2, • • • , Z to the LEA. 

4. LEA: If proofs for all the Diffie-Hellman relationships are correctly verified, 

certifies pj = as the citizen’s public key in the system. Forwards the 

verifiable encryption (cj, Di, Pi^, • • • , PgOi} to trustee i, who can decrypt it 
with the knowledge of Xi as Decrypt VerEnc with inputs {xi, Ci, P\^, • • • , PgOi) 
and output (si), which is the share of the citizen’s secret key. The LEA stores 
the value of Di against trustee t's identity along with citizen j's identity. 

In the above protocol the LEA need not trust any other entity to check the 
correctness of the proofs. Moreover, any other neutral entity can verify the cor- 
rectness of this protocol due to the presence of publicly verifiable proofs. 



3.4 Update Protocol 

1. Citizen: Computes (mod pj — 1), computes mod 

Pj and proves the relationship = DH{yj,yj) to the LEA. 

2. LEA: Temporarily stores in local directory along with the citizen’s 

identity. 
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3. Trustees: Compute = sf (mod Pj — l)\i = 1, - ■■ ,1}, compute 

_ g^^neu, jjjod pj\i = 1, ■ ■ ■ , 1} and prove the relationship = 

DH{Di, Di)\i = 1, • • • , ^} to the LEA. 

4. LEA: Certifies the new public key of the citizen, replaces the old value of 
the public key with the new value in the public directory of the citizen, and 
updates the local directory by replacing the value of Di with the value of 

5. Trustees: Delete and forget the old shares. 

The modified update protocol enforces the correct and synchronised update of 
shares when public key is updated. It is noted that this enforcement was absent 
in 1^. Note that the trustees have to be trusted to perform step 5 correctly, as 
there are no known techniques that provide such guarantees. 

3.5 Key Recovery Phase 

The LEA intercepts the ciphertext pair (A,B) = {gj,Myj) sent to citizen j, 
obtains a court order to wiretap the citizen’s communication and presents A 
along with the court order to the LEA. The LEA then engages in a protocol 
detailed in appendix |A.4| with the trustees. If message decryption fails after this 
protocol, then each trustee proves that it used the correct value of its share using 
the proof for equality of discrete logarithms described in appendix □ The proof 
basically proves that log^^. Di = log^;._,, Ei modpj, which is to prove that the 
trustees have used the discrete logarithm of Di (the share Si) to compute Ei 
from Ei_i. The LEA and the trustees engage in the following protocol; 

1. LEA: Sends A to trustee 1. 

2. Trustees: Computes {Ei = mod Pj\i = 1, •••,?}, where Eq = A, and 
compute proof of equality of discrete log as {LogEq with input 
{si,gj,Ei^i,Di,Ei,pj) and output {di,ei)\i = 1, •••,/}. Sends {Ei,d^,ei} 
to the LEA. 

3. LEA: Computes {CheckLogEq with input {di, Ci, gj, Ei_i, Di, Ei,pj) 

with output {checki)\i = 1, • • • , ^}. If checki is FAIL register fraud against 
trustee i. 

4. LEA: Computes M = B/Ei mod pj. 

This protocol guarantees message recovery or identification of malfunctioning 
trustee which ever the case may be. 

3.6 Security Analysis 

The security of our protocol relies on the security of publicly verifiable encryp- 
tion and equitable key escrow with limited time span j^. 

Proposition 1: Nobody except the corresponding trustee can obtain informa- 
tion about the private key of the user from the verifiably encrypted cipher- 
texts if the verifiable encryption of Asokan et al 0 is secure. 
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Proposition 2: No citizen can obtain a valid certificate without legal escrow 
of the private key, even by colluding with a minimum number of trustees. 

In order to avoid key escrow and at the same time obtain a valid certificate, 
the citizen must be able to perform any one of the following: 

1. Generate wrong proof that will pass the verification procedure of veri- 
fiable encryption, so that a wrong pre-image of the commitment (g'**) 
for the encryption can be sent to the authorities. Since the verifiable en- 
cryption technique in PJ is assumed to be secure, this will not possible. 

2. Generate wrong proof that will pass the verification procedure to prove 
Diffie-Hellman relationship pj, so that wrong value of shares can be 
encrypted for the escrow agent. Since the proof in |5| is assumed to be 
secure, this will not be possible. 

Proposition 3: No trustee can use wrong value of the share during key recovery 
phase and be unidentified, due to publicly verifiable proof of knowledge. 

If the trustee uses a different value in the key recovery phase, it must be 
able to generate wrong proofs for the proof of equality of discrete logarithms 
to avoid identification. Since the proof of equality of discrete logarithm is 
assumed to be secure, malicious trustees cannot remain unidentified. 



3.7 Computational Requirements 

The robustness of our protocol is a result of extra computations. The inclusion 
of publicly verifiable encryption in the set-up phase is the major source of the 
computational overhead. Since the set-up protocol is performed only once per 
user, it is not considerable when the robustness of the protocol is taken into 
account. The computational requirement for the publicly verifiable encryption 
is; 

Prover: The major computations that the prover has to perform are 2A^-|-1 hash 
computations and N exponentiations, where N is the security parameter of 
the protocol, which is 80 in our protocol. Asokan et al Q suggest that each 
party can do this using under 2000 modular multiplications. 

Verifier: The verifier has to perform 2N -|- a; -I- 1 hash computations and N 
exponentiations, where x is the number of I's in the challenge c. 

The extra computational overhead in the update phase in our scheme as com- 
pared to [ni , is due to the DH relationship proof that has to be performed once 
by each trustee and I times by the LEA. In the key recovery phase, if message 
recovery is successful then computational overhead will be zero. 



4 Time Controlled Auction Bidding 

We classify contract bidding systems, along with key escrow and electronic voting 
systems, in the class of systems called compliant (or democratic) systems. These 
systems, apart from other important properties, have a very delicate trust model 
and distributed control over data. Entities do not necessarily trust each other or 
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possess complete control over important data, such as information about some 
plaintext, session key, identity etc,. Shared control over data is a characteristic 
property of such systems. 

In a contract system a bidder wishes to submit and commit to a confidential 
information known as the bid. Only the bidder can know any information about 
the bid until a certain time after which the bid must be opened, or publicly 
known. A simple solution would be to encrypt the bid under the public key of 
a trusted third party, who will decrypt the bid only after a certain time. But, 
as stated in the previous section, in practice it is extremely difficult to realise 
such a trusted party. Another approach would be to distribute the capability to 
open the bid among many entities, of which the bidder could be one. The system 
can be designed such that decryption of the bid will be trivial when the bidder 
participates in the bid opening protocol. Also, decryption will be non-trivial but 
bound in finite time when the bidder does not participate in the bid opening 
protocol. This finite time can be tuned so that the bid can be decrypted only 
after the bid opening time. 

The scheme proposed in ^ employs double encryption to realise the dis- 
tributed control to decrypt the bid. It was claimed that the concept of weak 
encryption was used for this purpose. Two ElGamal cryptosystems are chosen 
with public keys as {gi,yi{= mod n)} and {g2,y2{= 32^ mod n)} such that 
the first cryptosystem provides strong encryption and the second provides weak 
encryption that could be cryptanalysed using brute force techniques. The bidder 
verifiably escrows the private key Xi corresponding to the public key y\ so that 
shareholders have its shares and proves that the second cryptosystem is indeed 
weak. The bidder encrypts the bid m as (g ^^ , g ^^ , myl^y^^) with ri and T2 chosen 
at random from Z*. At the time of opening the tender the bidder reveals x\ and 
X2 to the organisation so as to decrypt the bid. If the bidder does not reveal 
Xi and X2, the organisation obtains Xi from the shareholders and decrypts the 
outer encryption to obtain (32^, m.2/2^). The organisation then has to decrypt 
this ciphertext using brute force. 



4.1 An Alternative Scheme 

We outline an alternative scheme that can use verifiable partial key escrow [0 
or publicly verifiable partial key escrow 113 to realise the distributed control to 
decrypt the bid. The use of escrow technology makes this scheme more stream- 
lined with our paper. The main goal of partial key escrow is; 

1. Avoid full escrow of the private key. This considerably reduces trust on the 
escrow agents. 

2. Avoid mass wiretapping. 

3. Avoid brute force attack on the unescrowed portion of the private key with- 
out the help of the escrow agents. That is to avoid “early key recovery.” 

Our system consists of the organisation that accepts the bid, the bidder and 
the shareholders who act as escrow agents. The organisation chooses large primes 
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p and q such that p — 1 = 2q so that Z* is a prime order multiplicative group. 
Henceforth all operation will be modulo p arithmetic unless stated otherwise. 
The shareholders select two generators g G Zq and h £ Z* such that logg{h) is 
unknown. This condition is essential for security of the commitment schemes m 
2 ]. The committer can commit to z £ Zg as Z = for v £n Zq. This is 

possible because the pair {z,v) is unique for a fixed Z. A suitable threshold 
cryptosystem is set-up for the shareholders. The bidder registers in the system 
using the registration procedure, which is; 

1. Chooses a private key s £n Zq such that s = a; -I- a mod q, where x is a large 
number and a is a number that has pre-defined bit length 1. The value of a 
is chosen such that it is recovered in 2* steps. The corresponding public key 
will be P = <7® = g^g°'. 

2. Generates the commitments for x as X = g^h'^ and a bit-by-bit committment 
for a as {Ai = g°''K^' |i = 0, • • • , 2Z — 1}, where u, uq, • • • , U 21-1 £r Zq and Oi 
is the bit of a. The commitments (X, {Ai\i = 0, • • • , 2Z — 1}) are sent to 
the shareholders and the organisation. 

3. The bidder proves that the commitments define the key. This is done by com- 
puting w = u + XflQ^Ui2* mod q. The value of w is sent to the shareholders 
and the organisation. This proof can be checked as Ph'^ = XU^^^Af . 

4. The bidder proves that the value of a is indeed small by employing the 
publicly verifiable proof proposed by Mao m- 

5. The bidder escrows the large component x of the private key using any of 
the verifiable secret sharing schemes. 

When all the steps in the registration phase are performed, the bidder encrypts 
the bid m as (A,B) = {g^,mP^). The bidder sends (A,B) to the organisa- 
tion and proves the correctness of the encryption by employing the verifiable 
encryption technique detailed in section m 

At the time when the bid is to be opened the bidder reveals the private key s 
corresponding to the public key P to organisation so that it can decrypt the bid. 
If the bidder does not reveal the private key, the organisation approaches the 
shareholders to obtain x. Then it computes 5“ = P/g^ and the discrete logarithm 
of 5“ by using appropriate methods (such as Shanks baby-step giant-step 0) 
for computing discrete logarithms. 

5 Conclusion 

We have described certain design flaws in the protocol construction for equi- 
table key escrow for limited time span proposed by Burmester, Desmedt and 
Seberry ^ that resulted in a type of attack in which the user can avoid escrow 
by colluding with a minimum number of trustees. We have proposed improve- 
ments to the protocol by employing publicly verifiable proof techniques. We also 
pointed out that such proofs will greatly help in considerably reducing the trust 
that has to be placed on the trustees. We also presented a design perspective for 
a contract bidding scheme that uses verifiable partial key escrow and publicly 
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verifiable proof techniques (again to reduce the amount of trust placed on the 
trustees) . Our bidding scheme is a better alternative to the one proposed in P] , 
as a clearer trust requirements can be specified using publicly verifiable proof 
techniques. 
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Appendix 

A Key Escrow with Limited Time Span 

The proposal by Burmester et al. is briefly outlined here. For a more complete 
discussion, we refer to 0]. 
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A.l System Settings 

The user generates a large prime p such that p — 1 has two large prime factors 
Pi and p2 , such that pi = p2 = 3 mod 4, so that — 1 is a quadratic non-residue 
in the fields and Zp^ . The user then publishes p and g G Zp, such that the 
order of the element g is P\P 2 - 

A. 2 Set-Up Phase 

The user chooses a secure private key a Gr Z*_^ and computes I shares {sj|i = 
1, • • • , /} of a, such that Usi = a (mod p — 1). The user then computes the 
public key ya = 5 “ (mod p). The user publishes pa along with p and g. He/she 
then engages in a multi-party protocol with the law enforcement agency (LEA) 
and the I trustees in order to obtain a certificate. The multi-party protocol 
essentially consists of the following steps; 

1. The user securely communicates the respective shares to the corresponding 
trustees and publishes Zi = g®* for i = 1, ■ ■ ■ ,l in a, bulletin board. 

2. Each trustee checks if it has received the discrete logarithm of the respective 
Zi published in the bulletin board. If not the trustee registers a fraud message 
against the user with the LEA. 

3. The user sends zi^ 2 ,---,k = for fc = 2, • • • , ? to the LEA along with the 

proofs for z\^ 2 ,---,k = DH{zi^ 2 ,---,k-i, Zk) for /c = 2, • • • , L It could be noted 
Zia,-,l = Va- 

4. If no fraud was registered against the user by any of the trustees, the LEA 
checks the proofs for Z\^ 2 ,---,k for fc = 2, • • • , ? by reading the individual values 
of Zk from the bulletin board. 

5. If the LEA checks the proofs successfully, then it certifies pa = zi^ 2 ,---,i as 
the users public key in the system. 

A. 3 Update Phase 

The homomorphic property of the squaring operator on the private key is used 
in this phase. The use r computes the new private key as anew = and trustee 
i updates the share as = sf. After computing the new share, at least a 
threshold of the trustees are it trusted to erase and forget the old shares. The 
user then proves to the LEA that ya^ew ~ 5 “"®” is the Diffie-Hellman of the old 
public key Pa, that is = DH{ Pa,ya )> to obtain a certificate for the new 

public key. 

A. 4 Key Recovery Phase 

The users are expected to use the ElGamal cryptosystem to securely communi- 
cate using certified public keys. The ciphertext in this system will then be of the 
form {g^,My^) = {A, B) for the public key {pa,g,p). When the LEA obtains a 
court order to wire-tap the communication of a user, it intercepts the ciphertexts 
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sent to the user. The ciphertext component A along with the court order are sent 
to the trustees. The trustees then engage in a multi-party protocol to compute 
j/* from A using their respective shares by computing C = where 

is the share held by the trustees at that time. When the LEA is given C it can 
compute the message as, M = BjC. 

B Function Definitions for Verifiable Encryption 

The pseudocode of functions that can be used for verifiable encrption are pre- 
sented here. These functions can be used to realise an off-line version of the 
verifiable encryption proposal in 

B.l System Settings 

Let C = Enc(t, si,?/) be a public key encryption function that encrypts the 
message si of length kg under the public key y using the random string t of 
length kt bits and si = Dec(C,x) be the public key decryption function that 
decrypts the ciphertext C using the private key x corresponding the public key 
y. The OAE encryption function of Bellare and Rogaway which is based on 
the RSA problem, is recommended. The one way function is realised by modular 
exponentiation as 0{m) = g™ mod p, where g G Z* is a generator. A set of 
hash functions are chosen such that Hi : {0, 1}^®° — >■ {0, H 2 ■ {0, 1}* — >■ 

{0,1}!®°, Hs ■■ {0,1}* ^ {0,1)1®° . |Q {0,1)8°. verifiably 

encrypt a message si S Z* under the public key y, the sender / prover use the 
functions in the following sub-sections. 

B.2 Function VerEnc 

1. Select random number r and compute the hash of the value as (t, S 2 ), which 
are the higher and lower order bits of the result, respectively. Use t as the 
randomiser to encrypt S 2 under the public key y. Compute the commitment 
to the encrypted message as where g G Z* is the generator of the 
multiplicative group. Compute the hash value of the ciphertexts and the 
commitments as h. 

2. In a challenge-response mode h is sent to the verifier who chooses a challenge 
c G {0, 1). In our applications we make use of the standard hashing approach 
to realise an off-line version of the protocol. The user generates many hash 
values {hj\j = 1, • • • , n), where n is the security parameter which is 80 in 
our case. The prover then computes the hash value of all hj to obtain the 
challenge c. The prover then uses the bits of c as the challenge. 

3. If the bit of the challenge c is 0, the prover opens the encryption and 
does not send message information. If the bit is I the prover does not open 
the encryption but sends message information that can be decrypted using 
the private key corresponding to the public key used for encryption. 
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The algorithm can be described by the function VerEnc as follows: 

Function VerEnc with input {s\,g,p,y) 
and output (c, D, P\, - ■ ■ , Pso) is 

Compute D — mod p; 

For each j — 1 , • • • , 80 do 

Select at random: rj G {0, 

Compute: = 

Encrypt : = (Enc(tj, , p), /V modp); 

Compute: hj = Bj)\ 

done; 

Compute: c = H 4 {hi, ■ ■ ■ , hso); 

For each j = 1, • • • , 80 do 
If Cj is 0 then 
/* Cj is the j*'* bit of c* / 

Assign: Pj {r}; 

Else 

Compute: = si + S 2 j mod p; 

Assign: Pj ^ {Aj,S 3 ^}; 

Endlf; 

done; 

End Function VerEnc; 



B.3 Function CheckVerEnc 

1. The verifier recomputes the hash value hj in two different ways. If bit of 
c is 0, the encryption can be recomputed with the value of r and hence the 
value of hj. If the bit is I the verifier recomputes the hash value hj using 
the ciphertext and the commitment. 

2. The verifier then checks if the challenge was generated properly by recom- 
puting the value of c from the values of hj. If the verifier is able to check 
this correctly then the proof is accepted. 

The algorithm can be described by the function CheckVerEnc as follows: 

Function CheckVerEnc with input (c,p, g,D,Pi, - ■ ■ , Pso) 
and output {check) is 

For each j = 1, • • • , 80 do 
If Cj is 0 then 

Assign: {rj} ^ Pj- 
Compute: (C,S 2 j) = Hfirj)-, 

Encrypt : (Aj,Bj) = (Enc(C , S 2 ^ , p), modp); 

Compute: hj = 'H. 2 {Aj , Bj)-, 

Else 

Assign: {Aj,S3, } Pj\ 

Compute: hj = 'H 2 {Aj,g“^i /D)-, 

Endlf; 

done; 

? 

If c = Hfiki, ■ ■ ■ , hso) then 
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Else 



Assign: check t— PASS', 



Assign: check t— FAIL', 

Endlf; 

End Function Check VerEnc; 



B.4 Function Decrypt VerEnc 

1. The receiver locates the ciphertext with message information by locating the 
bit position in the challenge c that has a value 1. Note that during decryption 
j has to be selected at random in order to avoid fraud. 

2. The receiver can then decrypt the ciphertext using its private key to obtain 
the message. 

The algorithm can be described by the function Decrypt VerEnc as follows: 

Function Decrypt VerEnc with input {x,c,P\, - ■ ■ , Pso) 
and output (si) is 

Forever do 

Select at random: j € {1, • • • , 80} 
if Cj is 1 then 

Assign: {A, S3} Pj; 

Break For loop; 

Endlf; 

done; 

Decrypt: S 2 = Dec(a;, A); 

Compute: si = S3 — S2 mod p; 

End Function Decrypt VerEnc; 

C Function Definitions for Proof of Equality of Discrete 
Logarithms 

The pseudocode to achieve an off-line version for the generation and verification 
of proofs for equality of discrete logarithms is present in this section. Also, this 
proof can easily be extended to realise proof for knowledge of discrete logarithm. 



C.l System Settings 

Let p be a large prime such that computing discrete logarithms in Z* is difficult. 
Let H 5 : {0, 1}* — >■ {0, 1}” be a cryptographically secure has function with n as 
the security parameter. 

Generation of the Proof: In the following pseudocode note that construction 
of a valid proof without the knowledge of log^j/ = log,„ 2 : = a; is difficult. The 
algorithm can be described by the function LogEq as follows: 
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Function LogEq with input (x, g,m,y, z,p) 
and output (d, e) is: 

Select at random: r £ a Zp\ 

Calculate: d — H 5 (g-||m||y|| 2 ||(j'’||m’'); 

Calculate: e = r — dx (mod p — 1); 

End Function LogEq; 

Verification of the Proof: The verifier checks the proof using the same hash 
function with public inputs. The algorithm can be described by the function 
CheckLogEq as follows: 

Function CheckLogEq with input {d, e, g, m, y, z,p) 
and output (check) is: 

If d = H 5 (g\\rn\\y\\z\\g‘'y'^\\nf z"^) then 
check <— PASS', 

Else 

check FAIL', 

Endlf; 

End Function CheckLogEq; 
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Abstract. Mobile communication is more vulnerable to security attacks 
such as interception and unauthorized access than fixed network com- 
munication. To overcome these problems, many protocols have been pro- 
posed to provide a secure channel between a mobile station and a base 
station. However, the public-key based protocols are not fully utilized 
due to the poor computing power and the small battery capacity of a 
mobile station. 

In this paper, we propose some techniques accelerating public-key based 
key establishment protocols between a mobile station and a base station. 
The proposed techniques enable a mobile station to borrow computing 
power from a base station without revealing its secret information. The 
proposed schemes accelerate the previous protocols up to five times and 
reduce the amount of power consumption of a mobile station. 

The proposed schemes use SASC (Server-Aided Secret Computation) 
protocols that are used for smart cards. Our insight is that the unbalan- 
ced property in computing power of the mobile communication is similar 
to that of the smart card system. The acceleration degrees of the propo- 
sed schemes are quite different from one another according to the used 
SASC protocols. In this paper, we analyze the acceleration factors of 
the proposed schemes and compare them with one another. The analysis 
shows that one of the approach presents outstanding performance among 
them. 



1 Introduction 

Networks of the future will allow and prompt universal access, and mobile com- 
munication will make users be able to communicate with others anywhere. Ho- 
wever, mobile communication is more vulnerable to security attacks such as 
interception and unauthorized access than fixed network communication. The- 
refore, it is vital to make a secure channel between a base station and a mobile 
station imni. 

To make a secure channel, it is required to maintain the confidentiality of a 
message and provide the mutual authentication between a base station and a 
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mobile station. Many protocols have been proposed to satisfy the above require- 



ments 






J. These protocols are divided into two groups. 
One group uses public-key cryptosystems and the other group uses secret-key 
cryptosystems. The mobile communication standards (e.g. GSM [E], DECT PI) 
adopt the secret-key based protocols because secret-key cryptosystems are much 
faster than public- key cryptosystems. 

However, the key management of the secret-key based protocol is more com- 
plicated and more dangerous than that of the public-key based one. Each mobile 
station in the secret-key based protocols must keep its secret information, which 
of all should be stored in AC (Authentication Center). AC becomes the critical 
component in the system because it should participates in all key establish- 
ment protocol executions. Consequently, the communication overhead of AC 
is increased and one must replicate the AC to reduce the overhead. However, 
the replication of AC increases the risk of the system. On the other hand, the 
public-key based protocols only need CA (Certificate Authority) which certifies 
the public-keys of mobile stations and base stations. CA is less critical than AC 
because CA only certifies public-keys, whereas AC should manage all secret in- 
formations. Furthermore, if there are no more keys to be certified then the CA 
may even be closed. In addition, only with public-key cryptosystems, we can 
implement non-repudiation services and easily achieve anonymity. 

In spite of the advantages of a public-key cryptosystem, it is not fully utilized 
because of the poor computing power and the small battery capacity of a mobile 
station. Consequently, many previous researches for key establishment protocols 
(i.e., mutual authentication and key agreement protocols) focus on minimizing 
computational overhead of a mobile station without loss of security. 

Heller, Chang, and Yacobi proposed a scheme using both public-key c^pto- 



c^pto- 

jfllil]. 



systems and secret-key cryptosystems for the key establishment protocol 
They used MSR (Modular Square Root) algorithm to reduce the computa- 
tional overhead of a mobile station, and also used Diffie-Hellman key exchange 
protocol 1^ to establish a session key. Carlsen showed that this protocol is vul- 
nerable to a replay attack and immunized it Mu and Varadharajan showed 
an attack using the structure of the certificate and proposed the corresponding 
countermeasure for the attack. But, Heller et. al. seemed to considered the risk 
in their original proposal. Heller and Yacobi proposed a protocol using ElGamal 
algorithm m in p). The protocol reduces the response time of a mobile sta- 
tion by using ElGamal’s precomputable property. Boyd and Mathuria showed 
that the protocol is vulnerable to a man-in-the-middle attack and immunized 
it p]. Aziz and Difhe proposed a protocol providing good forward secrecy p]. 
Boyd and Mathuria showed that this protocol is also vulnerable to a man-in- 



^ Tatebayashi, Matsuzaki, and Newman proposed the first key establishment proto- 
col using public-key cryptosystem M After that, Park, Kurosawa, Okamoto, and 
Tsujii showed that the protocol is not secure and proposed a new key establishment 
protocol P). However, these protocols are End-to-End protocol for providing secure 
communication channel between mobile stations, and this paper focuses on the link 
security between a mobile station and a base station. 
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the-middle attack and immunized it |0. We describe these protocols in detail in 
Section F7I Recently, Park proposed another scheme 0 based on Yacobi and 
Shmuley’s general key exchange scheme m However, Martin and Mitchell P] 
found an attack and Boyd and Park showed another attack |Q. 

Although many protocols try to reduce the computational ovCThead of mobile 
station, all of them require hundreds of modular multiplicationfl Consequently, 
they are not fully utilized because mobile station has a poor computing power 
and a small battery capacity PP], 

In this paper, we propose some techniques accelerating the previous key esta- 
blishment protocols between a mobile station and a base station. The proposed 
techniques enable a mobile station to borrow the computing power of a base 
station to reduce the computational overhead of a mobile station. The proposed 
techniques accelerate the previous key establishment protocols up to five times 
and reduce the amount of power consumption of a mobile station. 

The proposed techniques use SASC (server-aided secret computation) proto- 
cols p3|1 b] . SASC protocols enable a smart card to use the computing power of 
a server (e.g. a card reader or ATM). Our insight is that the relationship between 
a smart card and a server is similar to that between a mobile station and a base 
station in mobile communication. The acceleration degrees of the proposed sche- 
mes are quite different from one another according to the used SASC protocols. 
In this paper, we analyze the acceleration factors of the proposed schemes and 
compare them with one anothers. The analysis shows that one of the approach 
shows outstanding performance among them. 

This paper is organized as follows: Section Elexplains previous key establish- 
ment protocols and the existing SASC protocols. Section El describes the tech- 
niques that accelerate key establishment protocols. We compare the accelerated 
protocols and the original protocols in Section 0and conclude in Section 0 

2 Backgrounds 

2.1 Key Establishment Protocols in Mobile Communication 

MSR-I-DH protocol PH Beller et al. proposed a key establishment protocol 
that uses MSR and Difhe-Hellman scheme (from now on, we call it MSR-I-DH). 
Afterwards, Carlsen pointed out that the protocol is vulnerable to a message 
replay attack and improved it using a challenge-response technique |34| The 
simplified description for the improved version of MSR-I-DH protocol is as fol- 
lows. 

1. B ^ M : B,NB,PKB,Cert{B) 

2 . M^B: {x}pKsANB,M,PKM,Cert{M)}^ 

^ Beller and Yacobi’s scheme reduces the delay through precomputations. However, 
as the scheme executes the precomputations everytime and it does not reduce the 
computational overhead itself. We analyze It in detail in Section ^ 
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B stands for a base station and M is a mobile station in the above description. 
The arrow shows a message delivery and PK is a public-key. {X}k means that 
X is encrypted with a key K. A base station sends its public-key with the 
certificate to a mobile station in step 1. And then, the mobile station verifies 
the public- key of the base station and encrypts the nonce (Nb) and its public 
key {PKm) with the session key {x). The mobile station sends the encrypted 
message to the base station. After that, both mobile station and base station 
compute a shared session key using Difhe-Hellman key exchange scheme. 



Beller and Yacobi’s protocol Beller and Yacobi designed a protocol that 
uses ElGamal algorithm (from now on, we call it BY), and afterwards, Boyd 
and Mathuria showed that this protocol is vulnerable to a man-in-the-middle 
attack and improved it 0. The abstract description of the improved version of 
BY protocol is as follows. 

1. B ^ M ■. B,NB,PKB,Cert{B) 

2 . M^B: {x}pKs,{M,PKM,Cert{M)},,{h{B,M,NB,x)}pj,-i 

M 

3. B^M : {Nb}^ 

BY protocol is similar to MSR-I-DH protocol except that the mobile station 
sends its signature {{h{B,M, Nb,x)} pj^-i) to the base station in step 2 and 
the base station sends the encrypted nonce to the mobile station in step 3. 



Aziz and DifRe’s protocol Aziz and Difhe proposed a key establishment 
protocol that decides secret-key algorithm in the progress of the protocol and 
generates a new session key through the session keys generated by a mobile 
station and a base station 0 (from now on, we call it AD). Afterwards, Boyd 
and Mathuria showed that this protocol is also vulnerable to a man-in-the-middle 
attack and improved it ^ . The abstract description of improved version of AD 
protocol is as follows. 

1. M ^ B : Cert{M), Nm jCLlg-list 

2. B ^ M : Cert(B), Nb, {xb}pKm ; sePalg, {hashixB,M, Nm, seLalg)} pp-i 

rs. B 

3. M ^ B : {xm}pKbA^>-o-sH^m,B,Nb)}pp^-i 

M 

algJist stands for the list of secret-key algorithms and seLalg is the secret- 
key algorithm selected by a base station. Other symbols mean the same things 
in the previous descriptions of BY protocol. The established session key between 
a mobile station and a base station is xm (B xb- xm stands for the session 
key generated by the mobile station and xs is the session key generated by 
the base station. Although the improved version of AD protocol has the heavy 
computational overhead at a mobile station side, it provides good forward secrecy 

m- 
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Table 1. Heavy operations at a mobile station side in each protocol assuming that 
160-bit exponents are used in ElGamal and DH, and other operands are all 512 bits. 



proto 

-col 


operations 


type of operation 
(algorithm) 


mod. 

mul. 


MSR 




generate key(DH) 


240 


+DH 


{Cert{B)}pKcA 


verify certificate(MSR) 


1 




{x}pkb 


encrypt (MSR) 


1 


IBY 




make signature(ElGamal) 


240 




{Cert{B)}pKcA 


verify certificate(MSR) 


1 




{x}pkb 


encrypt (MSR) 


1 


lAD 


} PK~^ 


decrypt (RSA) 


200 




{hash{xM, B, As)}^^-! 


make signature (RSA) 


200 




{Cert{B)}pKcA 


verify certificate(MSR) 


1 






encrypt (MSR) 


1 




{{hash{xB, ■ ■ 


verify signature (MSR) 


1 



The computational load of the protocols Tabled shows the type and the 
number of heavy operations to be computed at a mobile station side in each 
of the previous protocols. As we can see in Table d the operations using the 
private-key of the mobile station (i.e., the signature generation and the message 
decryption) require heavy computations. We assume that RSA decryption and 
signature generation procedure use Chinese Remainder Theorem to accelerate 
them m- If so, although the number of required modular multiplication is the 
same as ordinary modular exponentiation, the operand size is one fourth of it. 



2.2 Server-Aided Secret Computation 

SASC (Server-Aided Secret Computation) protocols enable a client (a smart 
card) to borrow computing power from a server (e.g., an untrusted auxiliary 
device like ATM) without revealing its secret information. Matsumoto, Kato, 
and Imai proposed the first SASC protocol for RSA signature generation f!^ . 
and it significantly accelerates the computation. Afterwards, a lot of effective 
attacks that can threaten SASC protocols have been designed and the corre- 
sponding countermeasures also have been proposed l2VtiSilhHSII4tll2yiT2ll21 . 
The previous works related with this topic are reviewed in references m and 
10 in detail. 



Server-aided RSA computation In RSA EH], a signer computes two large 
primes p,q and their product n, and then he chooses a random integer v which is 
reciprocal to (j){n){= {p—l){q—l)) and finds s which satisfies sv = 1 mod ^i(n). In 
this setting, the signature S for a message m is m^modn, and it can be verified 
by examining whether S'^modn is m or not. The objective of SASC protocols is 
to enable the client to efficiently compute m®modn with the aid of the server. 
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Splitting -based techniques The first SASC protocol uses decomposition of secret 
s into several pieces {xi and Oi, where s = XjUj mod 4>{n)), and reveals 

some of them(a;i) and conceals the others(ai) More advanced ones that are 
designed afterwards use similar basic decomposition with more refined techni- 
ques, and we call them spl ittin g-based techniques. In this paper, we use Beguin 
and Quisquater’s protocol as a representative splitting-based technique, be- 
cause it is one of the most recent ones and secure against all known attacks. 
Although a new and strong attack that can totally break the system was pro- 
posed by Nguyen and Stern in Asiacrypt’98 p^, it can be easily prevented by 
slightly changing the parameter selection scheme. 

Blinding -based technique Hong, Shin, Lee, a nd Y oon proposed another approach 
to server-aided RSA signature generation PI The approach is to blind the 
client’s secret s by using a series of random numbers rather than to split it. 
The other procedures are similar to those of the splitting-based techniques. This 
scheme is secure against all known passive and active attacks including Nguyen 
and Stern’s attack. 



Server-aided DSS computation Beguin and Quisquater designed a server- 
aided DSS (Digital Signature Standard) computation protocol p|. The protocol 
enables a client to fastly compute a^ mod p with the aid of a server, where a 
is a fixed and public integer, p is a fixed and public prime number, and a; is a 
secretly chosen random number. It is a splitting-based technique. 

3 Our Approach 

3.1 Adaptation of SASC 

We simplify the description of SASC protocol to adapt for mobile environment. 
A mobile station acts as a client, and a base station executes the function of a 
server. The following description shows the simplified protocols of base station 
assisted signature generation and decryption. (Those in the parenthesis stand 
for the decryption procedure.) 

Mobile Station Base Station 



modified-secrets 

^ pseudo-signing{/ decryption) 

pseudo-signedjmessages with modi f iedsecrets 
{/ pseudo-decrypted-messages, 
hashjvalue of the plaintext) 



postcalculation 
& verification 
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In the above description, the amount of data transferred between the mobile 
station and the base station, such as modifiedsecrets and pseudo — signed 
message, are largely different from one another according to the specific SASC 
protocol. If splitting-based techniques are used, they are two vectors (i.e., a lot 
of large numbers). Otherwise, only three integers are transferred in the blinding- 
based technique, of course, except for a message to be signed(/decrypted) and 
common modulus. The amount of computation required to be computed at the 
mobile station side is decided by postcalculation and verification. 

The base station assisted decryption procedure is the same as that of the sig- 
nature generation in essence. However, we can improve the decryption procedure 
using the fact that the server is the encrypter, i.e., the base station. 

In the verification step, the mobile station checks the final result (i.e., the 
result of postcalculation that is computed using pseudo-decrypted-messages) of 
the protocol, and only when the result is correct it proceeds the remain steps of 
the key establishment protocol. At that time, the mobile station uses the received 
hashjvalue of the plaintext. (Originally, the mobile station should encrypt the 
final result with its public-key and compare it with the received ciphertext as in 
the signature generation. This costs several modular multiplications.) Therefore, 
in the above decryption, the base station gives the hashjvalue of the plaintext, 
and the mobile station checks the final result by comparing its hash value to 
the received hash value. Moreover, this modification reduces the communication 
overhead as well as several modular multiplications, because the base station 
does not need to transmit the ciphertext itself. 



3.2 Acceleration Techniques 

MSR-I-DH acceleration As we can see in Table ^ the only operation that 
requires intensive computation at a mobile station side is the encryption of the 
base station’s public-key with its private-key after they exchange their public- 
keys. It can be written as follows : 

(PKb)^^'^ modp, where P As = modp. 

At the sight of the mobile station, PKb is a variable as it is the base station’s 
public-key, and the exponent {PKf^) is a fixed value as it is the private-key 
of the mobile station itself. Therefore, server-aided RSA computation should be 
used to speed up the protocol, although p is a fixed integer. 

A splitting-based technique and a blinding-based one are all able to be used. 
However, both techniques should be modified slightly to be applied to Difhe- 
Hellman scheme. Recent SASC protocols such as Beguin and Quisquater’s PS] 
and Hong et al. ’s m are designed to use CRT (Chinese Remainder Theorem) 
to reduce RSA signature generation time, and it is based on the fact that the 
signer knows the factorization of the modulus n PS]. However, as the modulus p 
in Difhe-Hellman key exchange protocol is a prime, CRT is not able to be used. 
Resultantly, it degrades the performance by two times. 
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We show the procedure that enables a mobile station to borrow the compu- 
ting power from the base station to execute Difhe-Hellman key exchange. The 
following scheme is based on Beguin and Quisquater’s scheme that is a repre- 
sentative splitting based technique. 

1. A mobile station randomly chooses a^s and XiS that satisfies the following 

equation : si = modp — 1. Then, it sends XiS to the base 

station. 

2. The base station computes and returns (PKb)^' ^aiodp to the mobile 
station, for 0 < i < m — 1. 

3. The mobile station computes z = \\^q {{PKbY'Y' 'caodp. 

4. The mobile station sends a which satisfies the following : a = S 2 mod {p— 
l)-|-£i(p— 1), where g €b {0, 1, ■ ■ ■ ,p — 2} and S 2 = s — si. 

5. The base station computes and returns y={PKBY^odp to the mobile 
station. 

6. The mobile station computes s = z x y modp, and checks if = 

PAnmodp, and if not, it stops the succeeding key establishment proto- 
col 



Acceleration of improved BY scheme A mobile station should execute 
two public-key operations and a private-key operation (refer to Table Two 
public-key operations are a verification of a public-key certificate and an en- 
cryption using the base station’s public-key. These require only two modular 
multiplications (one for each), as they all use MSR algorithm. 

The operation that requires extensive computation is the signature genera- 
tion of the mobile station using its private-key. Beller and Yacobi’s approach to 
overcome this problem is to make use of the precomputable property of ElGamal 
algorithm HH). Their insight is as follows : When the mobile station generates 
the signature {h(B,M,NB,x)}pr^-i to be sent to the base station, mod p 

t' J\ B 

can be precomputed and stored in advance as it is independent of the message 
h{B, M, Nb,x) to be signed. Therefore, the mobile station can generate the sig- 
nature only by three modular multiplications in the call set-up time. 

We can accelerate the precomputation (p’' mod p) by using Beguin and Quis- 
quater’s server-aided DSS scheme. 

1. The mobile station randomly chooses XiS and biS which satisfy r = 

where 0 < Xi < h. Then, it sends biS to the base station. 

2. The base station computes g’’' mod p, for 0 < i < m—1. And then, it 
returns them to the mobile station. 

3. The mobile station computes p’' = {Y^Y^ modp. 

® For this final result checking, we assume the public exponent PKb is very small as 
in the server-aided RSA computation. 
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Acceleration of improved AD scheme Improved AD protocol makes use 
of three public-key operations and two private-key operations (refer to Table 
Ip. As public- key operations can be implemented by using MSR encryption and 
MSR signature verification, they all can be executed by only three modular 
multiplications in total. The bottleneck of the key establishment protocol is two 
private-key operations, and therefore SASC techniques should be used twice. 
We use RSA decryption and signature generation algorithms as the private-key 
operations. 

The first massive computation is the decryption of {xb}pkm that is recei- 
ved from the base station. We use the blinding-based server-aided RSA com- 
putation technique and the simplified decryption procedure in Section R 1 1 The 
second private-key operation is the signature generation for the message hash{ 
Xm,B, Nb)- It can also be accelerated by using base station assisted RSA signa- 
ture generation as in Section n 1 I The detail descriptions of these two acceleration 
schemes are presented in Appendix. 

4 Performance Analysis 

In this section, we analyze the performance of the acceleration techniques presen- 
ted in the paper. The basic metric of the performance is the number of modular 
multiplications required at the mobile station side. We compare the accelerations 
of the proposed techniques with those of the original key establishment protocols 
to which they are applied. 

The performance comparison is presented in Table Q We let the size of modu- 
lus p and n be 512-bits, and assume that ElGamal algorithm and Difhe-Hellman 
protocol use 160-bits exponents. We let the public exponent of RSA be short, 
exactly ‘3’, and assume that RSA decryption algorithm uses CRT. 

The security parameters (e.g., h and m in the Beguin and Quisquater’s SASC 
scheme) are selected among the values that are recommended in the original 
SASC protocol proposals [EOT]. The security parameters of the splitting- 
based technique are <6 _r=11,&_r'=26, k=3>. Those of splitting-based techniques 
are <h=ll,m =29> for the RSA and <6=16, m =40> for the ElCamal. 

The proposed techniques accelerate the previous key establishment protocols 
by more than five times at maximum, as we can see Table 0 The factor of 
acceleration is quite different from one another according to the used SASC 
protocol. Moreover, the communication overhead of SASC protocol makes the 
gap be even larger. The overall performance gain is presented in ’F.A.’ field 
of Table 0 including the amount of communication overhead and the expected 
execution time. 

5 Conclusion 

RSA signature generation and decryption require full modular exponentiati- 
ons (i.e., several hundreds of modular multiplications) as Difhe-Hellman key 
exchange algorithm. Therefore, RSA has not been able to be used as a building 
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Table 2. Comparison of acceleration techniques assuming that 8-bit ^-processor and 
9600bps communication link is used. Communication overhehad is presented in bytes, 
and computaion time in seconds. ‘#MM’ means the number of modular multiplications, 
and ‘F.A.’ means the factor of acceleration. 



protocol 


used 

technique 


comp. 


comm. 


time 

(sec.) 


F.A. 


#MM 


time 


F.A. 


byte 


time 


MSR-bDH 


N.A. 


242 


43.56 


1.0 


320 


0.27 


43.8 


1.0 


MSR+DH 


splitting 


82 


14.76 


3.0 


3127 


2.61 


17.4 


2.5 


MSR+DH 


blinding 


72 


12.96 


3.4 


704 


0.59 


13.5 


3.2 


IBY 


N.A. 


242 


43.56 


1.0 


384 


0.32 


43.9 


1.0 


IBY 


splitting 


70 


12.6 


3.5 


19968 


16.64 


29.2 


1.5 


lAD 


N.A. 


403 


72.54 


1.0 


512 


0.43 


73.0 


1.0 


lAD 


splitting 


80 


14.4 


5.0 


6190 


5.16 


19.6 


3.7 


lAD 


blinding 


70 


12.6 


5.8 


1472 


1.23 


13.8 


5.3 



block for a key establishment protocol in mobile communication. A modular mul- 
tiplication costs 180ms on a typical 8-bit ^-processor of QyiHz, and it results 
that more than 40 seconds are required for key establishment except for com- 
munication overhead |l vj . Although the computing power of a mobile station 
has been and is evolving rapidly due to VLSI technology, full modular expo- 
nentiations are heavy operations in mobile equipment in the current and near 
futurc0 (partially because of the battery consumption). The proposed accelera- 
tion techniques make RSA be able to be considered as a building block of a key 
establishment protocol in mobile communication. It is a significant contribution 
as RSA is a very widely spread cryptographic algorithm. 

Seller and Yacobi’s protocol dramatically reduces the delay for call set-up 
by using precomputation. However, as the precomputation should be executed 
on each time, it does not reduce the computation amount itself. It results to 
be inefficient on continuous execution and at the sight of battery consumptioi0. 
The proposed scheme reduces the amount of computation required at the mobile 
station with the aid of base station, and it results to reduce call set-up delay 
(including continuous execution) and precomputation overhead as presented in 
Table Q. 



Although the current PCS (Personal Communication Services) handsets use powerful 
processors, we can not expect to enjoy enough computing power and battery, as the 
mobile equipment becomes smaller in size and weight. On the extreme case, one can 
imagine wearable computer or on-body computing. 

® Current /r-processors for mobile equipments reduces battery consumption by chan- 
ging its mode idle when there is nothing to do Q. Therefore, the mode change 
overhead may be serious according to the usage pattern. 
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Appendix 

We show two acceleration schemes for Aziz and Difhe’s protocol. The pro- 
posed scheme requires some precomputations, however these precomputations 
are executed only once when the private key d is generated. The client com- 
putes t' which satisfies the following equation to conceal the secret d : t' = 
7 v(- • • (^^(d — ri) — T 2 ) — • • • — Tfe) — i? mod X{N). In this equation, me- 

ans mod X{N)’, and D,r(, and R are random numbers which satisfy 

some conditions. (The detail selection scheme of random numbers is in refe- 
rence PI .) The clients prepares u = 0^=1 V mod X{N). The client computes 
Wp = q{q~^ mod p) mod N and Wq = p{p~^ mod q) mod N. (Note that Br, Bri, 
and k are security parameters, and they should be selected so as to maximize 
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the performance while keeping the protocol be secure, bn' should be less than 
(p — l)/2 — 1 and (q — l)/2 — 1 for the security. However, it does not matter 
because the computation time largely depends on 

The following is the base station assisted decryption of {xb}pkm that is 
received from the base station. 

1. The mobile station randomly chooses di, and then sends n, t, ap, and 
cTq to the base station, where they satisfy the following equations : t = 
t' — uxd ,2 mod A(fV), where d ,2 = d—di, ap = d 2 mod (p— 1) + Qp{p— 1), 
aq = d 2 mod (q - 1) + Pg(q - 1), where Qp Gr {0, . . . ,q - 2}, and p, Gr 

{0,...,p-2}. 

2. The base station encrypts the message xr using the mobile station’s 
public-key PKm- (i.e. {xb}pkm) Then, it computes and returns the fol- 
lowing to the mobile station : {{xb\pkmY mod n, Up = {{xb}pkm)'^’' mod 
n, and yq = {{xb'\pKmY'‘ mod n. At the same time, it also gives H = 
h{xB) to the mobile station. 

3. The mobile station makes use of the unblind scheme and CRT to extract 
xb from the values received from the base station m- If the extracted 
value Xb satisfies h{xB) = H, the mobile station makes use of xr in the 
succeeding key establishment protocol. Otherwise, it stops the protocol. 

The following is the acceleration of the second private-key operation, which 
is the signature generation for the message hash{ xm,B, Nr) - Notations are the 
same as the above scheme. 

1. The mobile station sends to the base station hash{xM,B,NR){= h), n, 
t, ap, and Ug. 

2. The base station computes and returns the following : h* mod n, yp = 
h^p mod n, and yq = /i'^« mod n. 

3. The mobile station makes use of the unblind scheme and CRT to genera- 
tion signature S m If the result S' satisfies {5} = hash{xM,B,NB), 
the mobile station makes use of xm in the succeeding key establishment 
protocol. Otherwise, it stops the protocol. 
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Abstract. The work proposes new conference key agreement protocols 
based on secret sharing. We discuss roles of the dealer and recovery al- 
gorithms in the trust structure which is the necessary condition for any 
key establishment protocol to achieve the intended security goals. Our 
conference key agreement protocol tackles the problem of entity authen- 
tication in conference key agreement protocols. The entity authentication 
is replaced by group authentication. To start a new conference all princi- 
pals have to be active and broadcast their shares. If the conference goes 
ahead, all principals are sure that all principals are present and alive. 
The paper is concluded with a discussion about possible modifications 
and extensions of the protocol. 

Keywords: Cryptographic Protocols, Key Establishment Protocols, 
Key Agreement Protocols, Shamir Secret Sharing. 



1 Introduction 

Establishment of cryptographic keys is one of the basic cryptographic operations 
which is always necessary if two or more parties wish to create secure channels for 
a communication session. Traditionally, cryptographic protocols which deals with 
multi-party key establishment are called conference key establishment protocols. 
The part of cryptology which is concerned with key establishment developed 
its own specific terminology. Principals are all active entities (parties) which 
can initiate a protocol or be actively involved in it. Key is fresh if has never 
been used before. Some other terms will be introduced gradually throughout the 
paper. Key establishment can be achieved by a distribution of a fresh key by 
a trusted authority (TA) to all principals. This class of protocols is called key 
distribution protocols. An alternative to key distribution protocols is the class 
of key agreement protocols. In this class, any principal involved in a protocol 
contributes to the final form of the secret key. 

Needham and Schroeder m designed a first key distribution protocol. Two 
principals who execute the protocol, can obtain a fresh and secret cryptographic 
key assuming that there is a trusted authority (TA) who has already established 
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secure communication channels between principals and the TA. These channels 
are necessary to distribute a fresh key (generated by the TA) to the principals. 
Difhe and Heilman showed how two principals can collaborate to create a 
common and secret key via insecure channels. The main drawback of their key 
agreement protocol was the lack of authentication of principals. In result, the 
protocol is susceptible to the man-in-the-middle attack. The Station-to-Station 
(STS) protocol is a secure version of Difhe-Hellman (DH) protocol and was desi- 
gned by Difhe, Van Oorschot and M. Wiener p]. A viable option for conference 
key establishment is a straightforward application of two-party protocols. As 
expected, this solution typically introduces heavy communication overhead (see 
for instance PEE]). 

The paper is structured as follows. Section 2 presents features of secret sha- 
ring which are useful for key establishment protocols. Trust structure necessary 
to build a secret sharing scheme which constitutes an underlying infrastructure 
for key establishment protocols, is discussed in Section 3. In Section 4, we hig- 
hlight the goal of conference key distribution protocols. In Section 5, a new key 
agreement protocol is described. The last section deliberates on possible exten- 
sions and modihcations of the protocol. 

2 Features of Secret Sharing 

Secret sharing was introduced by Shamir ED and Blakley |D. Secret sharing in- 
cludes two algorithms: one for design and distribution of shares (this algorithm 
is called a dealer) and the other for recovery of the secret (called a recovery algo- 
rithm or combiner) . The dealer typically generates a fresh secret key and divides 
it into pieces called shares. Shares are sent via secure channels to principals. 
At the pooling time when a big enough subset of principals agrees to act, they 
send their shares to the combiner who recovers the secret key and distributes it 
among principals. For more precise definitions and description of secret sharing, 
the reader is referred to ED- 

Secret sharing seems to be an ideal vehicle for design of a variety of conference 
key establishment protocols. The following properties of secret sharing make it 
especially attractive. 

1 . The amount of trust assigned to each principal can be mirrored by a proper 
access structure. If all principals are equally trusted, then a threshold sharing 
seems to be appropriate. 

2. Not all principals have to be active to trigger the conference. This also me- 
ans that secret sharing used can reflect different requirements as to how big 
a subset of active principals has to be to call on the conference. Again if 
the threshold secret sharing is acceptable, then the selection of the thres- 
hold enables to manipulate the size of the group who is able to call on the 
conference. 

3. Principal authentication can be replaced by a group authentication. This is 
a weaker requirement and in general can be less expensive to achieve. This 
is the case when principals do not need to know precise composition of the 
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currently active group but they require to be sure that the group is big 
enough to conduct a valid conference. 

Secret sharing exhibits some features which may restrict their applicability 
for key establishment protocols. Two most serious are: 

1. The composition of conference principals must be decided well ahead of the 
conference. Typically, this is done by the dealer. 

2. The dealer must distribute shares to all principals via secure channels. 

The first property may not be a real hindrance when the group involved in the 
conference is known well in advance and its composition is fixed for some time. 
One can argue that most conferences are of this kind. Moreover, secret sharing 
developed already methods and techniques to deal with modifications of the 
group (enrolment and disenrolment E2D- The second feature is unavoidable but 
can be dealt by conversion of secret sharing into the conditionally secure setting. 
In other words, once the secret sharing has been set up, it can be used many 
times. 

3 Trust Structure 

The existence of trust is the necessary condition for any key establishment pro- 
tocol to work correctly and to achieve security goals. Needham and Schroeder 
assumed uni that there was a TA who generated a fresh key and used pre- 
arranged secure channels to distribute it to principals. Difhe, Van Oorschot and 
Wiener in their STS protocol jS| supposed that any principal running their key 
agreement protocol had an access to their authenticated public keys. Typically, 
a TA delivered requested public keys in the form of certificates produced by the 
TA using its secret key so a principal knowing the public key of TA could check 
their authenticity. 

In secret sharing, the trust structure evolves around the dealer, combiner and 
secure channels. We now briefly discuss these components of trust. 

3.1 Dealer 

For key distribution protocols, the dealer plays the role of a TA or a conference 
chairman who first composes a collection of principals who are eligible to parti- 
cipate in the conference. Next the chairman chooses a proper access structure. 
The access structure must reflect the hierarchical positions of principals in the 
group and define clearly the collection of minimal subgroups which can still call 
on the conference. Once this is done the chairman selects a fresh secret key and 
divides it into shares. Shares are secretly transported to principals. 

For key agreement protocols, there is no trusted authority directly involved 
in the secret key generation. The model appropriate for this case seems to be 
secret sharing without a dealer or in other words, every principal plays the role 
of dealer. A principal designs her own secret sharing with an access structure of 
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her choice uses secret channels to distribute shares to other principals. After all 
principals have distributed their shares, each principal keeps in her hands her 
own share plus shares obtained from others. Finally, each principal combines all 
shares into one hoping that the resulting secret sharing has an access structure 
acceptable for all. 

It is not difficult to notice that this approach can only work if all principals 
use the same type of secret sharing which allows to merge many secret sharing 
generated locally into one (without a dealer). A broad class of secret sharing 
which allows to do this are linear schemes. Even dealing with linear secret sha- 
ring does not solve a problem of different access structures selected by individual 
principals. We however know that if each principal selects a {t,n) Shamir thres- 
hold scheme and distributes shares to the same collection of principals, then 
the resulting scheme is also a threshold scheme. It is easy to check that if each 
principal selects different threshold but the collection of principal is the same for 
all, then the threshold of the composed sharing is the largest used by principals. 

3.2 Combiner 

In secret sharing scheme, we need a combiner who collects the shares from prin- 
cipals and computes the secret key. The key recovered is then distributed to 
all active principals via secure channels. In key establishment protocols, shares 
collected by the combiner are not necessary if the combiner is trusted as it can 
generate a fresh key and distribute it. Note that the purpose of secret sharing 
is to recover the key while in key establishment protocols any fresh key is good. 
Certainly, the role of combiner in the context key establishment protocols needs 
to be redefined. The idea is to get rid of one combiner and replace it by principals 
who perform the combiner role by themselves. Consider two possible cases. 

The case of key distribution protocols. There is a chairman who designs a 
secret sharing of threshold 2 for a fresh secret. Each principal gets a single share 
while the chairman holds the secret and one extra share. The extra share is used 
to trigger the conference by broadcasting it (broadcasting must be authentica- 
ted). Each principal, takes her share plus the one broadcast and recovers the 
secret key. Observe that each principal plays the role of combiner. 

Assume that there is no chairman and the trusted dealer does not participate 
in conferences but sets up a secret sharing with a fresh key. If the secret sharing 
has the threshold n -I- 1 and the number of all shares is 3n (n is the number of 
all eligible principals) and each principal is assigned 3 shares, then to call on a 
conference, it is enough if n principals broadcast their shares. Knowing n shares, 
each principal can recover the secret key using her second share. The third share 
can be applied to verify the validity of the secret. Clearly, a misbehaving principal 
can broadcast two or three shares instead of one. If a principal broadcasts two 
shares, she can recover the secret but cannot verify it. If she announces three 
shares, she cannot participate in the conference. 

The second case is related to key agreement protocols. Assume that & {n + 
l,2n) secret sharing is set up collectively by all n principals so the threshold is 
{n+ 1) and each principal holds 2 shares. Note that to call on a conference, it is 
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enough for principals to broadcast their single shares. After publishing n shares, 
each principal can applied the second share to recover the secret (the threshold 
is (n + 1)). 

3.3 Communication Channels 

All interactions among principals are done via communication channels. A chan- 
nel can provide either secrecy or authenticity or both. An enemy who accesses a 
secrecy channel is unable to understand the message transmitted. Secrecy chan- 
nels can be implemented using symmetric or asymmetric cryptography. In the 
case of symmetric cryptography, both the sender and the receiver know the same 
cryptographic key. In asymmetric (or public key) cryptography, the sender key 
is public but the receiver’s key is secret. Note that the sender must make sure 
that the key is the authentic public key of the intended receiver. 

Authenticity channels do not hide messages but provide check-sums (also 
called MACs P|) which can be used to verify their origin. Typically, the receiver 
can detect whether or not a message comes from the correct source and has not 
been tampered with during transmission. 

Broadcast channels are normally meant be readable by all principals but any 
modification of the contents of messages will be detected with a high probability 
by all principals. From now on, if we say that a message is broadcast, we mean 
that the broadcasting channel is authenticated so any tampering with messages 
causes principals to reject them. If we say that a message is sent over a secure 
channel, we assume that the channel provides both secrecy and authenticity. 

Key distribution protocols typically apply secure channels implemented using 
either secret-key or public-key cryptosystems. This was the case for Needham- 
Schroeder protocols and their successors m- Key agreement protocols are nor- 
mally supported by public-key cryptosystems and broadcasting seems to be a 
predominant way of message communication (|S|)- 

4 Goals of Conference Key Establishment Protocols 

Conference key establishment protocols are usually designed to achieve a well- 
defined collection of goals and simultaneously one would expect that they can be 
run efficiently. The main collection of security goals for key establishment pro- 
tocols are m- (1) key freshness, (2) entity authentication, (3) key confirmation, 
(4) key authentication, and (5) explicit key authentication. 

A key is fresh if it has not been generated or used before. Entity authentica- 
tion is a confirmation process which allows one principal to identify correctly the 
others involved in the protocol. Typically, it allows a principal to check whether 
other principals are active (alive) at the time when the protocol is being execu- 
ted. This requirement can be relaxed by defining group authentication in which 
every principal is sure that all principals are alive and present. This allows any 
principal to identify the group rather than individuals. Weak group authentica- 
tion means that all currently active principals are sure that there is a big enough 
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group of active principals. In most circumstances, a conference is considered to 
be valid if a quorum of principals is present. The access structure (or the thres- 
hold parameter) conveniently determines the size of a big enough group. Key 
confirmation is a property of protocol which allows one principal to make sure 
that the other parties possess the same common key. Implicit key authentica- 
tion provides an assurance to principals that no one except specific other parties 
could have gained access to the common key. Implicit key authentication can be 
also viewed as key confidentiality. By explicit key authentication we mean that 
both implicit key authentication and key confirmation hold. 



5 A New Conference Key Agreement Protocol 

We propose a key agreement which uses overlapping secret sharing schemes to 
establish a fresh secret key. More precisely, each principal Pi is free to choose 
her own Shamir secret sharing defined by a polynomial ffiz). The group, howe- 
ver, works with the combined Shamir scheme based on the polynomial F{z) = 
Like in the DH protocol, all principals who want to join a conference 
can equally contribute to a fresh secret key. The protocol consists of three stages: 

1. registration - each principal who wants to join the conference register herself 
with a trusted registry, 

2. initialisation - each principal creates her private secret sharing scheme and 
distributes shares to all other principals, 

3. call for conference - principals broadcast their shares and therefore enable 
themselves to recover a common secret key. 



5.1 Assumptions 

The following assumptions are made: 

— there are n principals {Pi, ■ ■ ■ , Pn} who want to joint the conference, 

— there exists a trusted registry (R) who manages the registration of principals. 
In particular, the registry keeps a list of public keys of principals, 

— public information accessible from the registry is authenticated by the regi- 
stry. Typically, information is accessible in a form of certificates signed by 
R, 

— secure channels provide both secrecy and authentication and broadcast chan- 
nels deliver authenticated messages to all principals (messages can be read 
by all but nobody can modify them without detecting the modification). 

Let p and q denote large primes such that q divides p — 1. Let Gq be a 
subgroup of Z* of order q and g be a generator of Gq. 
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5.2 Registration 

Each principal Pi chooses his own private key xi G Z* and submits his public 
key hi = (mod p) for i = 1, . . . ,n to the registry R. After all principals 
have completed their registration, the registry R displays a read-only list of 
public keys together with principals’ names. Additionally, R generates a random 
integer r Gr Z* on demand and keeps it for a short period of time. Normally, the 
value is generated whenever a need for conference arises (indicated by principals 
who wish to call a conference). This value is erased after some time (when 
the conference has finished). The same value r is never used in two different 
conferences. 

Registration serves three purposes. The first one is that each principal knows 
other principals who are to join the conference. The second one is that the public 
keys can be used to implement secure channels between principals. For example, 
the information provided by registry is enough to encrypt a message using the 
ElGamal cryptosystem. Assume that m G Z* and Pi wants to send the message 
to Pj in encrypted form. First Pi chooses a random integer v G Z* and computes 
/ij and m X hj. The pair {g'",m x hj) is sent to Pj. The receiver Pj takes 
the pair and computes = g'"^^ which later can be used to extract the 

message m = m x K" x g~™h The third purpose is to supply principals with 
fresh (random) elements r which are later used in the protocol. 

5.3 Initialisation 

This part of protocol is done by each principal independently of each other. The 
setup phase proceeds as follows: 

1. Principal Pi designs a {n + l,2n) Shamir threshold scheme, i.e. a scheme 
with 2n shares and with threshold n + 1. Let the scheme be defined by a 
random polynomial fi{z) of degree at most n. Suppose that 

fi(z) = Qi^o + Qi^iZ 

where coefficients aij G Z* are chosen at random for j = 1, . . . , n. As usual 
in Shamir scheme, shares are computed for 2n public z co-ordinates. We 
assume that Pi is assigned a pair of co-ordinates Zi = (2i — l,2i). 

2. Further Pi prepares pairs of shares Sij = fi(zj) = = fi(2j — l),sp- = 

Mm- 

(‘ 2 ') 

3. Finally, Pi communicates s\ J to the principal Pj; j = 1, ... ,n] j ^ i via a 

(o\ 

secure channel. In effect. Pi obtains a sequence of n elements (s) (,..., () 

and computes her secret share ^f} where sf’'^ = F{2i) and the 

polynomial F{z) = Yh=i fM)- 

Note that during a run of the protocol, the secret s = F(0) = YM=i is never 
exposed to principals. From now on s = F(0) will be called a seed to differentiate 
it from a fresh secret key obtained by all principals involved in the conference. 
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5.4 Call for Conference 

To trigger the conference, principals execute the following steps. 

1. The principal Pi contacts the registry and fetches necessary parameters in- 
cluding a random element r and the generator g. If the element r is not on 

display, Pi asks R for one. Pi also computes a = . 

( 1 ) 

2. Pi prepares public shares Pij = for j = 1, . . . , n. 

3. The principal Pi broadcasts (3ij to all principals j = 1, . . . , n. Note that this 
broadcasting need not be authenticated. 

4. After Pi has obtained Pj^i from other principals, she recovers n public shares 

n 

for j = 

(2) 

5. Pi uses n public shares and her secret share, ^ to recover the common 

secret S = = a®. Note that principals still use Lagrange interpolation 

but for exponents. For details how to compute S, the reader is referred to 

0 . 

6. Pi takes the secret S, her name idi, and a timestamp TSi and prepares a 
string £j = H{S\\idi\\TSi) where iJ is a cryptographically strong, collision- 
free hash function with a public description. The triplet (e^, idi, TSi) is broa- 
dcast (note that broadcasting channel is assumed to provide authentication) . 

7. Pi collects (ej,idj,TSj) from other principals, checks their authenticity and 
verifies them using her own secret S. If the checks hold, Pi is ready for the 
conference. Otherwise, Pi announces the error and aborts the protocol. 



5.5 Security Analysis 

The following theorem specifies which security goals are achievable by the pro- 
tocol. 

Theorem 1. Assume that the protocol is run by a group of honest principals, 
then the protocol attains the following security goals: (1) key freshness, (2) key 
confidentiality, (3) group authentication, (4) key confirmation. 

Proof. (1) The registry displays an integer r randomly selected from Z*. Note 
that the common secret key S = g’’® = a® is fresh as log as r is fresh. The 
freshness is probabilistic. 

( 1 ) 

(2) Key confidentiality holds as after broadcasting the shares , all outsiders 
know n public shares only. As the Shamir scheme is perfect, it means that n 
shares do not provide any information about the secret when the threshold is 
n-|-l. Note that key confidentiality is preserved even if the outsider has unlimited 
computational power (as far as the secret sharing is concerned). 

(3) To call on the conference, all principals must be present and alive to broadcast 
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public shares of their private secret sharing schemes - group authentication 
holds. 

(4) After the conference has been called, every principal can check whether other 
principals are holding the same secret by verifying the triplets (sj,idj,TSj) for 
all j yf i. The key confirmation is satisfied. 

What if a subgroup of principals does not follow the protocol ? Let us consider 
the following possibilities: 

1. At the initialisation stage, the subgroup can intentionally lower down the 
thresholds used in their private secret sharing schemes. This does not effect 
the work of the protocol as if at least one principal is honest the threshold will 
be random and equal to (n+1) with the probability (1 — If the subgroup 
increases the threshold of their private scheme, then at the call for conference 
stage, the principals who are honest will recover inconsistent secrets and will 
abort the conference with an overwhelming probability. The subgroup of 
conspirators can establish a conference but without honest principals. 

2. At the call for conference stage, the subgroup can broadcast modified shares 
of their private schemes. This will be detected by honest principals when the 
secret is verified. 

3. A disobedient principal Pi can make public his secret sharing scheme (the 
polynomial fi{z)). The conference can still be called but without involvement 

of Pi- This is another way of saying - call conference whenever you wish. Pi 

( 2 ) 

can still participate in conferences if her share S] remains secret. If Pi goes 
further and discloses , then the secret key becomes public if the rest 
of principals follows the protocol. Otherwise if some principals refrain from 
broadcasting their public shares, the conference will not go ahead. 

We claim that the protocol can be used repeatedly to call conferences as the 
seed s remains secret and to recover the fresh secret key S, the principals need 
to use secret sharing to compute it. 

Recall that the Discrete Logarithm (DL) problem is defined as follows. Given 
the modulus N , the element g and h = mod N. What is a; ? 

We can define a variant (VDL) of the DL problem as follows. Given the 
modulus N, the elements g\, ... ,gi and a sequence of h\ = gf, ... ,hi = gf. 
What is a; ? 

Lemma 1. If the DL is intractable then so is the VDL problem. 

Proof. By contradiction. Assume that there is a probabilistic polynomial-time 
algorithm A which for any instance of VDL outputs the solution. So if we 
have an instance of the DL problem determined by the triplet (N,g,h) we 
can first convert it to an instance of VDL problem by selecting £ random va- 
lues 7 i , . . . , 7 ^ and computing gi = g'^^ , . . . ,gi = g'^‘^ and the matching values 
hi = h'^^ , . . . ,hi = . Now we can input the instance to our algorithm and 

collect the solution x. It also means that the DL can be solved by our polynomial- 
time algorithm A. This is the requested contradiction. 
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Assume that our principals have been running the protocol t times. We define 
a view ViiC) of principal Pi which specifies the information available to Pi after 
i successful execution of the protocol. It is easy to verify that 

^ (setup stage) 

o(l) c(l) 

o;i=g’'ba^^ iCtJ — >■ (1st run) 



o(l) c(l) 

Tp *^1 S . 

ai = g , . . . ^ 

+ public information } 



(i-ih run) 



where ri, . . . ,r^ are random values obtained from R. Note that the strings Sij 
generated for key confirmation purpose, are omitted from the view. The reason 
is that the assumption that the hash function is cryptographically strong is not 
enough to draw any conclusions about the overall security of the protocol. It 
is expected that hash function must not share any homomorphic property with 
exponentiation (see 0). 

Theorem 2. Assume that we consider the protocol without key confirmation. 
If the principals honestly follow the protocol and run it successfully i times and 
the applied discrete logarithm instances are intractable, then the seed s remains 
unknown to principals (and outsiders). 

Proof. (Sketch) An honest principal knows her view Vi{£). A principal can derive 
the seed from secret sharing by trying to compute missing shares. To do this, she 
must reverse all public shares revealed during a single run of the protocol. This 
is equivalent to solving instances of DL which are assumed to be intractable. 
The second way to find the seed s is to ensemble an instance of VDL, which 
according to Lemma ^ is intractable. 

Consider the efficiency of the protocol. The first part in which principals 
design their private secret sharing schemes is not computationally intensive. The 
reconstruction of the secret key S and the key verification constitute the main 
computational overhead. To reconstruct the secret key, principals have to first 
compute their public shares and later use the Lagrange interpolation to recover 
the polynomial and the secret S = 

Communication overhead for the protocol consists of two components. The 

(2) 

first one involves confidential delivery of the shares s) J from any single principal 

to others - this consumes (n — 1) confidential transmissions for every principal. 

( 1 ) 

The second component consists of broadcasting shares f3i^ = . This takes n 

broadcast transmissions for all principals. Table Q summarises the communica- 
tion and computation overhead for the protocol. 

Our protocol compares favourably with other key agreement protocols. For 
example, the protocols by Burmester and Desmedt 0 are designed with a speci- 
fic network configuration in mind. The most evident weakness of their protocols 



74 



C.-H. Li and J. Pieprzyk 



seems to be the lack of principal authentication. Just and Vaudenay m incor- 
porated the authentication of principals into the Burmester-Desmedt protocols 
but the authentication can be achieved with the neighbouring principals only. 





communication 
(message sent by 
each principal) 


computation 
(calculations done by 
each principal) 


registration 


1 message sent to 
registry 


1 exponentiation 


Setup 


preparation 




« 2n^ multiplications and 
additions for computations of 
shares 


distribution 


n messages sent to 
other principals 
via secure channel 


n exponentiations 


Call for 
conference 


Share broadcast 


n broadcasts 


n exponentiations 


Key 

Calculation 




(n -I- 1) exponentiations 
(Lagrange interpolation) 


Key 

Confirmation 


1 message broadcasts 


Hashing of 
a single message and 
1 exponentiation 
for authentication 



Table 1. Communication and computation requirements for the protocol 



6 Modifications and Extensions of the Protocol 

Consider a modification of the protocol based on (t J- 1, 2n) secret sharing, i.e. 
the threshold is t J- 1 and the number of shares is 2n (t < n) with n principals. 
To initialise the protocol all n principals are active. This stage is identical to the 
one used in our protocol. To trigger the conference, it is enough that t principals 
broadcast their public shares. Let the set of the principals who broadcast the 
public shares be A. To obtain the common secret key, each principal (including 
these who have not broadcast their public shares) takes the broadcast public 
shares and corrects her secret share by removing share contributions received 
from all principals not in A. In other words, principals are working with a secret 
sharing defined by Fjx{z) = fPi{z) where fp^iz) is the polynomial defi- 

ning the private secret sharing generated by Pi. The modified protocol has the 
following remarkable properties. 

1. A principal who does not belong to A, can always join the conference later 
by using the public shares and key confirmation strings e. 
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2. A principal not in A can attend the conference passively, i.e. collect all public 
information which allow her to obtain the secret key. Later she can read all 
the information exchanged during the conference without others knowing 
that she is present. 

3. It is possible to add a new principal to the conference (enrolment). It is 
enough that a newcomer designs her private secret sharing and distributes 
her shares to other members and other members give her their shares. 

4. A principal can be expelled from the group (disenrolment). Assume that the 
conference group A decided collectively to remove Pk from the conference. 
Principals from A\Pk make public all the shares they have given to Pk at 
the setup stage. Also they discard all shares obtained from Pk- In effect, the 
group A\Pk is working with the secret sharing PA\Pk = SpiGA-Pi/Pj, fpM)- 
The share of this secret sharing held by Pk is now public. So if (t — 1) 
principals from the group A\Pk broadcast their shares, all members except 
Pk can recover the secret. Pk knows her share given to her by the others at 
the setup stage and {t — 1) public shares. This is not enough to recover the 
secret (the threshold is 1). Other principals know their own secret share, 
the share owned by Pk and made public, and {t— 1) public shares - they can 
recover the secret key and go ahead with the conference protocol. Pk cannot 
participate in conference. Observe that the effective threshold drops by one 
after each expulsion. 

The requirements for construction of (n + l,2n) secret sharing seems to be 
a bit artificial. The protocol can be converted into the protocol based on (t, n) 
Shamir scheme with shares divisible into a multiple of 2 subshares and t = 
The construction of Shamir schemes with subshares is given in P|. In this 
variant of the protocol, principals handle subshares to initialise and trigger the 
conference. 
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Abstract. The EEPROM modification attack was first described by 
Anderson and Kuhn in [3]. This simple and low-cost attack is very ef- 
ficient against tamperproof devices carrying a secret key stored in EE- 
PROM. Soon after the attack has been published, we proposed a pro- 
tection scheme using cascaded m-permutations of hidden wires [8]. This 
cascaded m-permutation protection scheme uses an (m x n)-bit encoding 
for an n-bit key and for which the best known attack will take at most 
0{n^) probes to compromise the permutations of the hidden wires. Ho- 
wever, it is observed that if a particular card (instead of the whole batch 
of cards) is to be compromised, the complexity can be greatly reduced, 
and in the best cases, it can even be reduced to linear time complexity. 
In this paper, we demonstrate how it can be done, and propose a revised 
m-permutation scheme that would close the loop-hole. It is also proved 
that the probability of breaking the revised scheme will be for a 

n-bit key. 



1 Introduction 

Anderson and Kuhn introduced the EEPROM modification attack in j^. This 
is a physical attack in which two microprobing needles are used to set or clear 
target bits in an effort to infer those bits. In this attack, the location of the key 
within EEPROM is assumed to be known. This is in fact often the case, since, in 
practice, a DES key is often stored in the bottom eight bytes of the EEPROM. 
It is also assumed that EEPROM bits cannot be read directly since equipment 
to sense the value of an EEPROM bit is substantially more expensive than the 
microprobing needles. 

Anderson and Kuhn’s attack makes use of the key parity errors implemented 
in many applications utilizing DES. Their assumption is that the tamperproof 
device will not work (e.g., returning an error condition) whenever a key parity 
error is detected. 
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Note that in addition to requiring only low-cost equipment, this attack can 
be carried out with very few probes. In particular, it takes only one or two probes 
to get each key bit and hence, 2n or fewer probes for an n-bit key. 

Although Anderson and Kuhn originally described the above attack with 
respect to a DES key and the associated key-parity bits, the attack can be 
generalized for an arbitrary key, with or without key-parity bits. In particular, 
to infer bit i, the attacker runs the device once before setting bit z, and once after 
setting bit i. If the output changes in any way (e.g., giving a key parity error or 
simply giving a different output), we know the original value for bit i is zero; if 
there was no change, the original value was one. Thus, the attack is quite general 
and can be applied to virtually any key stored in a known EEPROM location. 
To put our discussion in the most general terms, we use the term fault to include 
any kind of error or output change that can be exploited by an attacker. 

In our attempt to devise a scheme to protect the key bits from the modifi- 
cation attack, we proposed a cascaded m— permutation scheme 0 that greatly 
increases the number of probes needed to carry out an EEPROM modification 
attack. In this paper, we will discuss the weakness of the cascaded m-permutation 
scheme for the individual card and propose a revised scheme in which the as- 
sumption that the attacker cannot see the EEPROM is released. The probability 
of breaking this scheme is for a n-bit key. 

Following the notations in 0, we will use 

1. K to denote the actual key bit vector. That is, the key value to be used by 
the card in encrypting, signing, etc. 

2. P to denote the physical key bit vector. This is the bit pattern stored in the 
EEPROM. 

2 Cascaded m-Permutation Protection 

2.1 Model 

Several assumptions have been made in 0: 

1. the attacker is a class I attacker0, that is, a “clever outsider with moderately 
sophisticated equipment” . 

2. P is assumed to be stored in EEPROM and that the attacker cannot read 
the EEPROM directly. 

3. the attacker is not able to see the exact wiring of the device. 

4. the attacker can get physical access to one or more of the devices and can 
operate each one as many times as desired. Other than the hidden wiring, 
the algorithm is open. 

This wiring is considered to be the “batch key”, which is known only to the 
manufacturers and to those who are legitimately programming the device. 

In addition, a protection scheme is formally specified by the following entities: 

1. n — the length of the actual key K = k^ki ■ ■ ■ kn-i 
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2. p — the length of the physical key P = P[0]P[1] • • • P[p — 1] 

3. The function encode maps actual keys to physical keys and will be used at 
the card-programming / card-issuing organization (e.g., the bank) to pro- 
duce the key patterns to be burned into the chip: 

encode : {0, 1}" — ^ {0, 1}^ 

4. The decoding functions and wiring functions will be implemented by the 
chip manufacturer. For each actual key bit, i, 0 < i < n: 

— Define Ai to be the arity (i.e., the number of inputs) of the decoding 
function. (In the expected usage, Ai > 1.) 

— For 0 < i < n, the decoding function decodci is the function produ- 
cing the bit of the actual key K given Ai bits of the physical key 
P. 

decodci : {0, 1}"^* — >■ {0, 1} 

.fVi 

— For 0 < i < n, the z^^^ wiring function determines the offset within P 
from where a wire is connected to the z^^ decoding function: 

wiringi : {!,• • • ,Ai\ — )> {0, 1, - • • ,p - 1} 

For example, wiringi{j) = k means the input bit for the z^^ decoding 

th 

function is wired from the bit of P. 

2.2 Permutation 

In this approach, the manufacturer chooses (as the batch key) a random permuta- 
tion of the rz-bit key. This permutation is used to form P at device programming 
time. To restore the actual key, K, the wiring inverts the permutation. In terms 
of the above model, this scheme is described as follows. 

1. p = n 

2. Ai = 1 for all z 

3. encode = permutation function tt: 

7T : {0,l,---,rz- 1} — {0,l,---,n- 1} 

4. wiringi{l) = 7r“^(z) 

5. decodci = identity function 
and hence ki = P[wiringi{l)] 

Breaking the Permutation Scheme Even though the attacker does not know 
the permutation, he can break the permutation scheme in 0{n) probes, as fol- 
lows. First, the attacker applies the original attack and, with 0(n) probes, finds 
the n bits of P. 

The attacker starts his attack without knowing the permutation nor the 
actual key, K. However, he can find the permutation in an additional 0(n) 
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probes. In particular, the wiring pattern can be found as follows. As the attacker 
knows the function of the device (e.g., encryption using DES), he can find the 
device output (using, e.g., a PC) for the following n (i.e., for DES n = 56 ) 
actual keys: 0 ... 01, 0 ... 10, • • •, 10 ... 0. Let us name these n outputs oi, . . . , 
an (with very high probability, these a^’s are distinct). 

After computing the Oi, the attacker uses probes to write 0 ... 01 to the area 
storing P, operates the device, and compares the encrypted result with all the Ui. 
Since the protection scheme is simply a permutation, one of the ai will match. 
Thus, the first wiring line is identified. Continuing with the remaining n — 1 
patterns (0 ... 10, • • •, 10 ... 0), all the wiring information can be revealed. And 
thus, the key K is found in 0{n) probes. 

2.3 Protection via m Permutations 

We showed in |5I that by cascading (i.e. concatenating) m (> 2) permutations 
(i.e. P = I'** permuted K © • • • 0 permuted K), it will take the attacker 
probes to compromise the batch key and K : 

Theorem 1. If a protection scheme uses m different permutations cascaded to- 
gether, a brute-force search will take at most 0(n"^) time for the attacker to 
compromise the batch key and K. 



3 Observation 



The above theorem only gives an upper bound for breaking the whole batch of 
cards. Usually, we simply need to crack a single card instead of the whole batch 
of devices. With the above cascaded m-permutation scheme, it is hard to break 
the whole batch, but it may not be true for the individual card. 

One weakness of the cascaded m-permutation scheme is that the number 
of occurrence of Os and Is are preserved, though their locations are permuted. 
This gives the attacker additional information (the number of Os and Is in key 
K) to exploit. Before we proceed to discuss this, the following definitions are 
introduced: 

Definition 1. A permutation matrix^ corresponding to a permutation tt is a 
matrix which has the effect of permuting a vector by tt when it multiplies the 
vector. That is, M^K = permuted K. 

will be a n X n matrix if K is of length n, and K is considered as a n x 1 
column vector. The matrix = (my)„xn can be derived from tt by 



mij = 



1 if j = 7r(i) 
0 otherwise 



(Note that we can also consider K as a row vector. In this case, the permuted 
K can be calculated by K Mff . It is only a matter of choice on notation, and in 
the following discussion, we will treat K as a column vector.) 

Using this definition, we can describe the batch key for the cascaded m- 
permutation as a m-tuples (M,rj , ) . 
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Definition 2. The minority ratio of a key K of length n is defined as the frac- 
tion of occurrence of Os or Is in K, whichever is smaller, to n. 

The following lemma follows naturally from this definition: 

Lemma 1. The minority ratio, r < |. 

Consequently, when an attacker attempts to break a card protected by the 
above m-permutation scheme, it is observed that the attacker can estimate how 
much effort is needed if he makes use of the additional information of the occur- 
rence of Os and Is via the following theorem: 

Theorem 2. The complexity of breaking an individual card which is protected 
by the cascaded m-permutation scheme will be discounted multiplicatively by r™ 
for the brute-force attack, where r is the minority ratio of the n-bit key K of the 
card. 

Proof. Let S' be {0,---,n — 1}. Define Go = {i G S\ki = 0} and Gi = {i G 
S\ki = 1}. Pick 

/Go if|Gi|>|Go| 

1Gi if|Go|>|Gi| 

where \A\ denotes the cardinality of set A. 

To break an individual card, we need to get (M,n , -M-n-a > ’ ‘ ‘ P 

so that the K can be derived. Two facts are observed. First, P can easily be 
compromised in 0(n) time using modification attack. Second, for the individual 
card, there may exist more than one instance of ‘ ‘ ‘ to derive 

K correctly together with P. This is obvious because if r, s G S — G, = 

M„..K where is Af^^i with rows r and s interchanged. 

As a result, in cracking the batch key, instead of trying all n vectors 000 • • • 1, 
000 • • • 10, • • •, 100 • • • 0, we need only to try for cases corresponding to i G G. 
Hence, the worst case complexity will be reduced multiplicatively by r for each 
pass of the for loop. □ 

As a result, the complexity of breaking an individual card depends, to certain 
extent, on r which in turns depends on the bit pattern of K. In the best case, 
when r approaches 0 (when K has only a few Os (or Is) while the majority of 
the bits are Is (or Os)), the complexity will fall to a near- linear complexity for 
this special case. 

In the worst case, as r is bounded by we have the following corollary: 

Corollary 1. The complexity of breaking an individual card which is protected 
by the cascaded m-permutation scheme is bounded by for the brute-force 

attack. 

4 Revised Scheme 

To cover the holes that we described in the last section, we propose in this section 
a scheme in which 
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1. the bit occurrence of Os and Is in K will be unknown to the attacker; 

2. we do not care if the EEPROM can be read directly somehow. 

The motivation for this scheme is that instead of storing the permuted K as 
P , we store permuted versions of K xor’ed with two independently chosen n-bit 
words Kd- which will be dumped after use. 

The basic set-up is the same as the cascaded m-permutation scheme but with 
the following amendments: 

1. m must be odd 

2. P is no longer instead, it will be P = Pi©P 20 - • -©Pm 

where 

Pi = M^i(K © 

P2 = © M^3 Kd 3 © M^^KdJ 



P, = M^,(K ©M, 



^(i + 1 mod m) 



K 



D, 



(i + l mod m) ® mod m) '^^-^(1 + 2 mod m) 1 



Pm = © M^^Kd,) 

and, to help resolve the value of K , we store another m n-bit words (Pdi, 
Pd,,---, PdJ in EEPROM: 

Pdi = K © Kdi 
Pd, = K © Kd, 

Pd^=K(B Kd^ 



Note that K^ds will be dumped after use. Their values can only be deduced 
when both K and the corresponding Pn/s are known. 

3. One candidate of decoding function is to get K by the following decoding 
function: 

m 

i=l 

where the hidden wiring implements the 



Property 1. If P^’s are set up as above, then 

m 



K 

0 



if m is odd 
if m is even 
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As a result, if m is odd, the above decoding function will always return the 
correct value of K if the card has not been tampered. 



However, it is not an ideal decoding function as the attacker can compromise 
the permutation details, via technique described in section by comparing 
encrypted result of vector with only one bit on, i.e., by setting the to 000 • • • 1, 
000 • • • 10, • • •, 100 • • • 0 one by one while setting other Pj’s {j ^ i) to 000 • • • 0 
and compare the result with the encrypted pattern of 000 • • • 1, 000 • • • 10, • • •, 
100 • • • 0 respectively. 

A method is needed to ensures that the above system of equations are satis- 
fied. That is, we need to find an expression for K that is not expensive (in terms 
of complexity in building the circuit) to calculate, and at the same time, avoid 
the above attack. Our approach is to find an initial guess of K first, and then 
substitute it into the above system of equations: 

1. Kis initially set as 

2. rearrange the above system of equations for Pi’s; we have then, for all i, 



K = M-/P, © 






M, 



^(i+l mod m) (P-D(i+i „od m) ® ' 



2 = 1 






7T(i+2 mod m) (P£>(i+2 mod m) ® ^Tr/Pi)) 



i=l 



If Pi’s has not been tampered with, the correct K will be returned if we logically 
AND, or logically OR all these m K’s. Hence, K can be calculated via the 
following steps: 

1. Calculate by: 

m ( m 

K and = A ® ^©. + 1 mod m, (Pi^(.+d mod m, ® (S 

2=1 I 2=1 

m 

^^(i + 2 mod m) (Pl)(i+2 mod m) ® M~^Pi)) 

2=1 

2. Calculate Kor by: 



m 

K or = V 1 ® ^- 0+1 mod m) (P^o+d 

i=l [ 



mod m) 



(0Myp,))© 






(i + 2 mod m) (Pi'(, + 2 mod m) ® ^7r/P*)) 



2=1 



3. If = K and Kor = K, then return K; else return an error message. 
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With these steps, it is of high probability that an error message will be returned 
if the attacker applies an attack by setting one Pi to 00 • • • 1 while setting the 
other Pj’s (j ^ i) to 00 • • • 0. 

5 Analysis 

First, the following property on binomial coefficients C" of (1 + x)” is noted: 

Property 2. = 2”"' 

That is, the sum of coefficients of even-powered terms is equal to the sum of 
coefficients of odd-powered terms. 

Proof. This follows directly from the fact that 

With this property, we further note that in most of the cases, the attacker 
has a probability of to guess for the correct n-bit key. This security is based 
on the following properties. 

Property 3. If tt is an unknown permutation, X and Y are random variables of 
n-bit binary words in which X = M^^Y, then 

P{Y = y\X = x) = P{X = x\Y = y) = ^ 

^nr 

where r is the minority factor of y (and x) as defined in sectionO. 

Proof. To apply an unknown permutation tt on x (or y) with minority ratio r, 
there will be possible distinct combination of bit pattern for y (or x) and 
hence the result. □ 



Property 4- If T^i’s are unknown permutations, Xjjfs are independently chosen 
random variables of n-bit binary words, and X and Y are random variables of 
n-bit binary words satisfying 



Y = M^^{X © M^^Xd, © M^^XdJ, 



then 

P{X = x|y = y) = P{X = x) 



Proof. Let R 
theorem. 



As 



Mt^.^Xe )2 © Y' = X Q) R. Then Y = M^r^Y'. By Bayes’ 



P{X = x|F' = y') 



P{X = xAY' = y') 
P{Y' = y') 



P{X = xAY' = y') = P{X = xAR=y'®x) 

= P{X = x)P{R = y' (B x) due to independence 
= P{X = x)a, say 



On m-Permutation Protection Scheme against Modification Attack 



85 



and 



P{Y' 



y') = Y,P{X = xAY' = y') 

X 

= P{X = x)a = a P{X = x) = a 



we have 

P{X = x\Y' = y') = ^ = P{X = x) 

a 

Hence, 



P{X = x\Y = y) 



P{X = xAY = y) 

p{y = y) 

P(X = x AY' = y') . , , 

^ as 7Ti IS 1-1 and onto 

P{X = x\Y' = y') = P{X = x) 



□ 



Property 5. If tti and 7T2 are two unknown permutations, Wi and W 2 are two 
n-bit words (with rii and ri 2 Is respectively), then the probability of guessing 
W = Wi © W 2 is given by 

1 

u-l 

E 2 

i=0 '~'l+2i 

where 



if ni + ri 2 < n 
if ni + 77.2 > n 

Given m > 3, for any m n-bit words Wi, W 2 , • • • , Wm (with ni, n 2 , • • •, and rim 
Is respectively), if there exist 

1. two words Wi and Wj, i j such that the resulting W' = M^.Wi © M^^-Wj 
has possibly 1,1 + 2,- ■ and u Is; and 

2. a third word Wk, k ^ i,k ^ j, such that I < rik < u and rii + n, + > n, 

then the probability of guessing W = 0™ ^ is 2 S^- 

Proof. In this proof, we first imagine all the Is of Wfs sink down to the bottom 
of the column vectors while the Os float at the top, and then try to figure out 
the total number of possible bit patterns of the resulting vector when the Is of 
one vector start to float gradually to the top. 

For m = 2 case: if IF = M^^lFi © M.j^^W 2 , then IF has at least |ni — n 2 | 
Is when the Is of the shorter vector cancels out part of the Is of the longer 



I = \m- U2\ 

_ ( ni + U2 
^ ( 2n — (ni + U 2 ) 
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vector (as 1 © 1 = 0). FF will have at most n-i + U 2 Is when the Is from Wi 
and W 2 stack up within the n-bit boundary. If ni + U 2 is greater than n, some 
of the Til + U 2 Is will be forced to coincide with each other (which has the 
effect of losing Is as 1 © 1 = 0), and the resulting number of Is in W will be 
n — (ni + U 2 — n) = 2n — (ni + n2). 

Hence, W is expected to have at least I Is and at most u Is. It is also noted 
that the oddity of I and u are the same, and so u — I is even. When the shorter 
vector starts to float upwards to the top, the number of Is will be incremented by 
2 each time . Therefore, the possible number of Is in W can only he 1,1 + 2, - ■■ ,u, 

u-l 

and so the possible number of bit patterns for W will be X)i=o ^i+ 2 i hence 

u-l 

the probability of guessing the correct bit pattern is l/(X)iJo ^i+ 2 i) 

For TO > 3 case: if FF' = M^.FFi©M.„.^.FFj has possibly 1,1+2,- ■ and u Is and 
FFfc has Uk Is where I < Uk < u and rii + rij+nk > n, then depending whether Uk 
is odd or even, W" = FF' © M^.FFfc will possibly have 1, 3, • • • , 2([^^J - 1) + 1 
Is ii Uk + I is odd; while it will possibly have 0, 2, • • • , 2([|J) Is if rifc + / is 

even. Therefore, there will be ^ 2 i = ^ ^ ^ ^ 2 i+i = 2"“^ different 

bit patterns for FF" and hence the probability of guessing its value is 2^^- By 
adding more terms to FF" will not increase the possible bit patterns; it simply 
provides alternative routes to get to a particular bit pattern. □ 

In virtue of the above properties, the knowledge of P^’s as described by the 
revised scheme doesn’t leak any information of K. As these P^’s are independent 
to each other, the probability of guessing K will be 25^ if there are at least 3 
Pi’s satisfying the above properties, and the security is approximate to guessing 
an unknown key of n — 1 bit long. 

The extra P Oi stored in the EEPROM will not help much to the attacker as 
it is basically an one-time pad setup and its existence is unconditionally secure. 

As the security of the scheme is affected by the number of Is in Pi’s, it would 
be wise to abandon candidate Pi’s with very small number of Is or very large 
number of Is. For example, if Pi = 111 • • • 1, it contributes no protection at all, 
as any permutation applied to this value will remain the same. 



6 Discussion 

In this paper, we proposed a revised scheme that would close the loopholes (due 
to information leaked by the number of occurrence of Os and Is) by storing to 
( e.g. TO = 3) Pi’s each of which is formed by first zor’ing K with two permuted 
versions of independent chosen n-bit words K and K o^i +2 mod m) > 
then permuting the result. With this setup, two goals are achieved: (1) the bit 
occurrence of Os and Is are hidden, as each Pi is now more than a permuted 
version of K , and (2) the attacker has only a probability of to guess for the 
n-bit key K. In addition, the restriction that EEPROM cannot be read directly 
has been released. But then, as the whole security relies on the difficulty in 
solving for the batch key, this method would fail for attackers who can access 
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to equipment that can reverse-engineer the whole card and be able to see the 
wiring configuration (that is, see the 



Acknowledgments 

We would like to thank Dr. M.J. Golin for his helpful comments and numerous 
remarks on this work. 



References 

1. D.G. Abraham, G.M. Dolan, G.P. Double, and J.V. Stevens, “Transaction Secnrity 
System”, in IBM Systems Journal, volume 30, number 2, (1991), p. 206-229. 

2. R. Anderson and M. Kuhn, “Tamper Resistance - a Cautionary Note” in Procee- 
dings of the Second USENIX Workshop on Electronic Commerce (1996), p.1-11. 

3. R. Anderson and M. Kuhn, “Low Cost Attacks on Tamper Resistant Devices”, in 
Security Protocols : 5th International Workshop, (1997), p. 125-136. 

4. F. Bao, R.H. Deng, Y. Han, A. Jeng, A.D. Narasimhalu, and T. Ngair, “Brea- 
king Public Key Cryptosystems on Tamper Resistant Devices in the Presence of 
Transient Faults”, in Security Protocols : International Workshop ’97 

5. D. Boneh, R.A. DeMillo, and R.J. Lipton, “On the Importance of Checking Cryp- 
tographic Protocols for Faults”, in Advances in Cryptology - EUROCRYPT ’97, 
p.37-51. 

6. E. Biham and A. Shamir, “Differential Fault Analysis of Secret Key Cryptosy- 
stems”, in Advances in Cryptology - CRYPTO ’97, p. 513-25 

7. T.H. Cormen, C.E. Leiserson and R.L. Rivest, “Introduction to Algorithms”, MIT 
Press, 1990. 

8. W.W. Fung and J.W. Gray, “Protection Against EEPROM Modification Attacks”, 
in Information Security and Privacy: Third Australasian Conference, ACISP’98, 
1998, p.250-260. 

9. M.R. Garey and D.S. Johnson, “Computers and Intractability”, W.H. Preeman & 
Co., 1979. 

10. C.E. Shannon, “Communication Theory of Secrecy System”, in Computer Security 
Journal Vol.6, No. 2, 1990, p.7-66. 




Inversion Attack and Branching 



Jovan Dj. Golic^, Andrew Clark^, and Ed Dawson^ 

^ School of Electrical Engineering, University of Belgrade 
Bulevar Revolucije 73, 11001 Belgrade, Yugoslavia 
Email: golic@galeb.etf.bg.ac.yu 

^ Information Security Research Centre, Queensland University of Technology 
GPO Box 2434, Brisbane Q 4001, Australia 
Email: {aclark , dawson}@f it . qut . edu . au 



Abstract. The generalized inversion attack on nonlinear filter genera- 
tors is developed and analyzed by the theory of critical branching proces- 
ses. Unlike the inversion attack which requires that the filter function be 
linear in the first or the last input variable, this attack can be applied for 
any filter function. Both theory and systematic experiments conducted 
show that its time complexity remains close to 2^ , M being the input 
memory size, while the additional memory space required is relatively 
small for most the filter functions. 



1 Introduction 

Nonlinear filter generators are popular building blocks in shift register based 
keystream generators for stream cipher applications, because they enable one to 
achieve the cryptographic security with a relatively small number of shift regi- 
sters, see A binary nonlinear filter generator consists of a single binary 

linear feedback shift register (LFSR), with a typically primitive feedback poly- 
nomial, and a nonlinear boolean function whose inputs are taken from some shift 
register stages to produce the output. A nonlinear filter generator should be de- 
signed so as to resist all known cryptanalytic attacks applicable. The objective 
of the cryptanalytic attacks considered is to determine the unknown, secret key 
controlled LFSR initial state from a sufficiently long segment of the known key- 
stream sequence. A set of design criteria to achieve a long period, a high linear 
complexity, and good statistical properties of the keystream sequence as well as 
the resistance to the fast correlation attack jS|, to the conditional correlation 
attack j to the inversion attack P| is recommended in 0 . 

Let r be the LFSR length, let n denote the number of nondegenerate input 
variables of the filter function /, let 7 = (7^)?=! denote the tapping sequence 
specifying the inputs to /, and let M = 7 n — 71 denote the input memory size of 
the nonlinear filter generator regarded as a finite input memory combiner with 
one input and one output | 2 | . 

The inversion attack P| applies as such to the case when the filter function 
is linear in the first or the last input variable, and runs forwards or backwards 
accordingly. This case is important as the only known case when the output 
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sequence of a nonlinear filter generator as a combiner with one input and one 
output is purely random for every possible choice of the tapping sequence 7 given 
that the input sequence is purely random. It is even conjectured in Q] that other 
such cases may not exist at all. The attack consists in guessing the unknown M 
bits of the initial memory state, which is a part of the unknown LFSR initial 
state, then in the (unique) inversion of the first r—M bits of the known keystream 
sequence into the corresponding r — M bits of the LFSR sequence, and, finally, 
in checking the output sequence produced from the LFSR sequence obtained 
by the linear recursion from the determined r bits on additional M + c bits of 
the keystream sequence (where c is a small positive integer). Its computational 
complexity is at worst 2 ^, or on average. 

To render the inversion attack infeasible, 7 should be such that M is large 
and preferably close to its maximum possible value r — 1. In addition, to prevent 
reducing the effective input memory size by a uniform decimation technique 0 , 
the greatest common divisor of ( 7 ^ — 7 i)(L;^ should be equal to one. 

Another way of preventing the inversion attack is to choose / that is linear 
in neither the first nor the last input variable. Of course, if M is large, then it 
is not possible to check by the exhaustive analysis of the associated augmented 
function (M + 1 successive bits as a function of 2M + 1 input ones) whether 
the output is purely random given that the input is such. Nevertheless, if the 
design criteria related to positive difference sets and correlation immunity are 
respected, then it is not practically possible to find a statistical weakness in the 
output even if it exists. However, a more general, so-called generalized inversion 
attack is also suggested in P| which may work for any filter function. It goes 
along similar lines as the inversion attack with the only difference that the first 
r—M keystream bits are not necessarily uniquely inverted into the corresponding 
r — M input bits of the LFSR sequence. 

Instead, a binary tree structure of maximum depth r — M is formed to store 
all possible solutions for the r — M input bits, for every guessed initial memory 
state. It is also suggested in 0 that the theory of branching processes may be 
used to analyze the size of the resulting trees. While it is certainly true that 
the correct (very likely, unique) LFSR sequence must be found by this attack, 
it remains to analyze its complexity, especially if r — M is large. The main 
question to be answered is whether the resulting trees are then so large that the 
complexity gets close to 2’’, which would render the attack ineffective. This is 
exactly the main objective of this paper. We will show both by the theory of 
branching processes and experimentally that the complexity of the generalized 
inversion attack is, perhaps surprisingly, also very close to 2 ^ regardless of the 
choice of the filter function. Consequently, the choice of / cannot prevent the 
inversion attack in its generalized form. 

The inversion attack 0 is briefly reviewed in Section 0 the generalized in- 
version attack is described and further developed in Section 0 and analyzed by 
the theory of critical branching processes (outlined in the Appendix) in Sec- 
tion 0 experimental results are presented and discussed in Section 0 and the 
conclusions are given in Section 0 
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2 Inversion Attack 

Let X = be a binary maximum-length sequence of period 2’’ — 1 

{{x{t))^J:_^ is the LFSR initial state), let f{z \, . . . , z„) be a boolean function of 
n, n < r, nondegenerate input variables, and let 7 = be an increasing 

sequence of nonnegative integers such that 71 = 0 and 7„ < r — 1. Then the 
output sequence y = (?/(t))“o the nonlinear filter generator is defined by 

y(t) = /(x(f- 7 i),...,x(t- 7 „)), t> 0. (1) 

If we assume that the input sequence is purely random, that is, a sequence of 
balanced (uniformly distributed) and independent bits (binary random variables) 
and that the filter function is balanced (has balanced output given a balanced 
input), then the output sequence is not necessarily such. It is shown in that the 
output sequence is purely random for every tapping sequence if f{zi , . . . , z„) = 
-^1 + 9 {z 2 , ■ . ■ , Z„) or f{zi,...,Zn) = g{zi,...,Zn-l) + Zn- 

The objective of the inversion attack is to reconstruct the LFSR initial state 
from a segment of the keystream sequence, given the LFSR feedback polynomial 
of degree r, the filter function /, and the tapping sequence 7. The attack runs 
forwards or backwards depending on whether / is linear in the first or the last 
input variable, respectively. In the former case, put dU into the form 

x{t) = y{t)+g{x{t-j2),---,x{t--fri)), t>0, (2) 

which means that the nonlinear filter generator as a combiner with one input 
and one output is invertible if the initial memory state is known. The forward 
inversion attack then goes as follows. 

1. Assume (not previously checked) M bits {x{t))^2-M unknown initial 

memory state. 

2. By using J2D, generate a segment {x{t))^Z^~^ of the input sequence from a 
known segment iy{t))fZ^~^ of the keystream sequence. 

3. By using the LFSR linear recursion, generate a sequence (a;(t))^“i^ from 

the first r bits . 

4. By using Q, compute {y{t))fzzY_M from i,x{t))^ZZY_ 2 M compare with the 
observed {y{t))^ZZY_M- If they are the same, then accept the assumed initial 
memory state and stop. Otherwise, go to step 1. 

It takes trials on average to find a correct initial memory state. One may 
as well examine all 2^ initial memory states. In that case, the algorithm yields 
all the LFSR sequences that produce the given keystream sequence of length N. 
The found candidate initial states could then be examined on a longer sequence 
as well, which may reduce their number. If the determined LFSR sequence is 
not unique, then any such sequence is a satisfactory solution (equivalent LFSR 
initial states yielding the same keystream sequence), but for most filter functions 
this situation is very unlikely. 
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3 Generalized Inversion Attack 

The generalized inversion attack as suggested in applies to an arbitrary filter 
function / which need not be linear in the first or the last input variable. Without 
essential loss of generality, / is assumed to be balanced. For such a function, there 
exists a nonzero fraction of values of the input variables (z 2 , ■ ■ ■ , Zn) where / 
is equal to zero or one (equally likely) regardless of Z\ and, similarly, a nonzero 
fraction p_ of values of the input variables (zi, . . . , Zn-i) where / is equal to zero 
or one (equally likely) regardless of Zn- In this case, one should find the minimum 
of and p- and then accordingly apply the generalized inversion attack in the 
forward or backward direction. In the generalized inversion attack, the objective 
is to find all possible, not necessarily unique, input sequences of length r — M 
consistent with a given segment of the keystream sequence of the same length, 
for each assumed initial memory state, whereas the rest is the same as in the 
inversion attack. The (generalized) inversion attack thus exploits the dependence 
between the input and the output sequence to the maximum possible extent. 



3.1 Forward and Backward Attacks 

In the forward generalized inversion attack, given the current output bit y(t) and 
a guessed current memory state (x(i))‘“(_^ (the preceding M input bits), the 
basic equation may have a unique solution for x{t), may have no solution for 
x(t), or may have two solutions for x(t) (both zero and one). Given a segment 
oi r — M successive output bits, proceeding forwards one bit at a time, one can 
thus obtain and store all possible solutions for an input sequence in a binary 
tree structure of maximum depth r — M. Each node in the tree represents an 
internal memory state of M successive input bits. Similarly, in the backward 
inversion attack one proceeds backwards one bit at a time, each time finding 
from equation (Ul) all possible solutions for x{t — M) given the current output 
bit y{t) and a guessed current memory state (x(f))*^(_^_|_]^ (the next M input 
bits) . Accordingly, without loss of generality, from now on we will deal only with 
the forward generalized inversion attack. 

Let, for simplicity, p = In the probabilistic model where the LFSR initial 
state is chosen uniformly at random, any M+1, M < r — 1, successive input 
bits (defining the inputs to /) are balanced and independent. Without essential 
difference, the given keystream sequence can be considered either as fixed or as 
purely random and independent of the LFSR sequence. In this model, for any t > 
0, the number of possible solutions for the current input bit x{t) is a nonnegative 
integer random variable Z with the probability distribution, independent of t, 

Pr{Z = 0} = |, Pr{Z=l} = l-p, Pr{Z = 2} = |. (3) 

Its expected value and variance are given by 



p = 1, cr^ = p. 



(4) 
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3.2 Basic Attack 

It is interesting to examine the case p = 1, when / does not effectively depend 
on the first input variable zi, in more detail. Then M is bigger than the effective 
memory size, and guessing M successive input bits is the same as guessing all 
the input bits to / as well as some additional input bits if 72 — 7i > 1- Accor- 
dingly, the attack can then be reduced to the so-called basic generalized inversion 
attack, in which one guesses M + 1 successive input bits and then 

checks whether the corresponding output bit determined by / is the same as 
the observed y{t) or not. If not, then there is no solution for the next input bit 
x{t+l) and the guess is discarded as incorrect. If yes, then there are two possible 
solutions for x{t+ 1) and the search is continued in the same manner for both of 
them. In the probabilistic model as above, the number of solutions for x{t+ 1) is 
a random variable Z defined by (0) for p = 1 . It takes only two values, 0 and 2, 
each with probability 1/2, and has the expected value and variance both equal 
to 1, see 0). 

Initially, exactly one half of the guesses are discarded, so that the total ef- 
fective number of initial guesses is in fact 2^, which is the same as before. Of 
course, the corresponding 2^+^ trees, half of which are empty, store all the solu- 
tions for the input sequences of length r — M given the known output sequence 
of the same length which are the same as above, but the trees are different. Each 
node contains M + 1 rather than M successive input bits and the trees have 
maximum depth r — M — 1 rather than r — M, but the nodes at the first and 
the last level have to be checked if they are consistent with the first and the 
last output bit, respectively. The main difference from the generalized inversion 
attack described above is that the nodes at each level have to be generated be- 
fore they are tested for consistency with the corresponding output bit. The trees 
can be grouped in 2^ pairs each corresponding to the same initial memory state 
and each pair can be aggregated into a single tree, the same as above, in an 
obvious way by discarding all the nodes without branches leaving out. So, the 
basic generalized inversion attack is less efficient, as should be expected, since it 
does not make use of p+ being smaller than 1. The basic attack can also run in 
the backward direction as well. 

3.3 Binary Trees 

In the forward generalized inversion attack, for each assumed initial memory 
state {x{t))^]:_i^, the obtained binary tree, representing all the solutions for 
the next r — M bits {x{t))fZ^~^ consistent with the known r — M output bits 
(y(^))t=o^~^> is, of course, unique given {y{t))fZ^~^ ■ For each 1 < n < r — M, 
let Zn denote the number of nodes at level n, that is, the number input segments 
(x(t))"~Q of length n that are consistent with the output segment {y{t))'^lQ . The 
initial level n = 0 contains only one node representing an initial memory state 
{x{t))j]^_M, whereas each node in the tree represents an internal memory state 
of M successive input bits. In practice, one can also store only one level at a 
time, but then each node at level n should represent an input segment of variable 
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size n, 1 < n < r — M, rather than of constant size M. Another possibility would 
be to store only one bit per node, but then the whole tree must be kept, and for 
each node, the internal state needed for the construction process is recovered by 
backtracking through the preceding M — 1 levels. 

Let Yn = denote the total number of nodes in the tree up to level 

n, without counting the initial node. Then the (normalized) time and space 
complexities of the tree construction process are given as ^ — M) and 

max{l"r-M}) where the sum and the maximum are both over all 2^ initial 
memory states. If one stores input segments of variable size rather than internal 
memory states, then the space complexity (in bits) for a single tree is max{Z Zi : 
1 < / < r — M} rather than MY^-m- The total number of the obtained solutions 
for input segments of length r that are consistent with the given 

output segment is given as ^ Z^-m where the sum is over all 2^ initial memory 
states. Note that for the basic generalized inversion attack, the figures are slightly 
different. Namely, the space complexity is vna^{Yr-M-i}, the time complexity 
is ^(1 + Yj._M-i)/{r — M), and the total number of solutions is Z^-m 
(the nodes at level r — M are not effectively produced) , where the sums and the 
maximum are over all initial guesses. 

Consequently, the main problem to be addressed is how large these values 
can grow as r — M increases. 

4 Probabilistic Analysis via Branching Processes 

4.1 Probabilistic Models 

The basic probabilistic model to be considered is one in which {x{t))Y-M 
uniformly distributed and is a random variable indepedently gene- 

rated from a uniformly distributed LFSR initial state. Note that 
need not be uniformly distributed and in fact is not likely to be such if p > 0. In 
particular, some output segments may not be possible at all. In the related, but 
different model where the output segment is uniformly distributed, the expected 
values of both and T„/n are equal to 1 for each 1 < n < r — M . So, in this 
model, the expected total number of consistent solutions for {x{t))'[Z-M^ (to 
be checked in the final stage of the generalized inversion attack) as well as the 
expected time complexity of the tree construction are both exactly 2^ , which is 
the same as in the inversion attack. 

Not only can the expected values be different in the realistic, basic model, 
but also it is conceivable that Zr-M and/or Yr-M/{i" — M) can be big depending 
on a particular output segment. In the inversion attack, where p = 0, this is not 
possible, because the variance of is zero for every guessed initial memory 
state. More generally, if the output segment is uniformly distributed and p > 
0, then the number of solutions is exactly 2^ for each output segment, but 
the variance of need not be equal to zero for every guessed initial memory 
state. Consequently, the problem here is to estimate the expected values and the 
variances as well as the probability distributions of both and 1^/n in the 
basic probabilistic model. 
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The variances and the probability distributions of and Y^jn in general 
depend on a particular filter function and on a chosen tapping sequence as well. 
They could be estimated empirically in various cases of interest, as is demon- 
strated in the next section. However, a reasonably good approximation providing 
insight into the size of the random tree spanned can be obtained by the theory 
of critical branching processes outlined in the Appendix. One may consider the 
random tree produced by the random initial memory state and the random or a 
fixed output segment. In both the cases, the associated branching process is one 
with the branching probability distribution defined by ( 3 ) . It is a critical Galton- 
Watson process with the expected value 1 and the variance p of the branching 
random variable Z\. 

The random tree produced by the associated branching process is not the 
same as the random one obtained by the tree construction process. The reason 
for this is that in the branching process the branching probability distribution 
for a given node is independent of the nodes at the same or the preceding levels 
(the history), whereas in the tree construction process there is a dependence 
between the nodes as a result of successive inputs to the filter function having 
some bits in common. Note that the dependence is not influenced by the LFSR 
recursion, since only r successive bits of the LFSR sequence are examined. This 
dependence is relatively weak if the tapping sequence defines a positive difference 
set and is stronger if it is equidistant, that is, if 7 = (<5*)”rQ^ where 5 is a positive 
integer. As a consequence, the probability distributions of both the variables 
Zn and Ynjn are somewhat different. However, the difference is expected to be 
relatively small for both their expected values and variances, as they are only 
affected by relatively weak pairwise and triplewise dependences between different 
levels in the random tree generated by the tree construction process. 

4.2 Expected Values and Variances 

In view of Theorem 0 from the Appendix, we then get that for the associated 
branching process, E{Zn) = I, Var(Z„) = pn, and Pr{Z„ > 0} = 1 — /^"^O) 
where f^^\s) is the self-composition m of the generating function, /(s) = 
p/2 -I- (1 — p)s + ps^/2, of the branching probability distribution @. This pro- 
bability can be evaluated numerically. For any n, Pr{Z„ > 0} < 1 — p/2 and 
for large n, Pr{Z„ > 0} ~ 2/{pn), provided p > 0. If p is very small, than 
this probability is close to 1, unless n is very large. Accordingly, the expected 
fraction of the guessed initial memory states giving rise to at least one input 
segment of length n that is consistent with the given output segment of length 
n is 1 — /*^"^(0). On the other hand. Theorem Q from the Appendix gives that 
E{Yn/n) = 1 and Var(V„/n) = pn/i. In view of the Chebyshev inequality 
Pr{|y„/n — E{/Yn/n)\ > e} < Var(F„/n)/e^, we then get that V„/n is with high 
probability 0{^/n) and the multiplicative constant is not big. Note that in the 
case of interest n = r — M. 

It is interesting to see how large and Yn/n can grow when conditio- 
ned on the event that there exists at least one input segment of length n that 
is consistent with the output segment. At least one such initial memory state 
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exists, corresponding to the original LFSR sequence producing the given out- 
put sequence. Theorem 0 from the Appendix shows that for p > 0 and large 
n, E(ZnlZn > 0) ~ pn/2 and Var(Z„|Z„ > 0) ~ jE This means that the 
number of solutions is with high probability linear in n, provided at least one 
such solution exists. As for Ynju, the note from the Appendix shows that for 
p > 0 and large n, E(Yn/n\Zn > 0) = 0{pn) and Var(F„/n|Z„ > 0) = 0{p^Ti?), 
so that Ynjn is then with high probability 0{pn). Consequently, the resulting 
tree is then bigger than on average, but still relatively small even li n = r — M 
is big. 

4.3 Correction Factor 

One may take the estimates given above as good approximations for the ran- 
dom tree generated by the tree construction process. Recall that in the basic 
probabilistic model, one first chooses a random uniformly distributed LFSR in- 
itial state, then generates the corresponding output segment of length r — M, 
and, finally, independently chooses a uniformly distributed initial memory state 
and constructs the corresponding tree. So, for each achievable output segment of 
length r — M, one in fact constructs 2^ trees corresponding to all possible initial 
memory states. The above estimates would have been good approximations if all 
2 T-M output segments were achievable. Since this is not the case, a correction 
has to be made. Namely, the random variables and Yn/n have to be condi- 
tioned on the achievability event that there exists at least one initial memory 
state, among 2^ of them, with at least one input segment of length n consistent 
with the output segment. The conditioning event is the same as the one that the 
output segment is achievable or, in terms of the theory of branching processes, 
that among 2^ independently generated trees there exists at least one of depth 
n. It is easily seen that the expected fraction of achievable output segments of 
length n is then 

^ 1- (1- A") . (5) 

V pnj 

Thus, the theory of branching processes helps one analyze how many output 
segments of a given length are expected to occur at the output of a nonlinear 
filter generator which reflects its statistical properties. Consequently, for any 
n > 1, the random variable Zn in the original branching process is a mixture 
of the zero random variable, with probability 1 — qn, and the random variable 
Zn conditioned on the achievability event, with probability q„. Both E{Zn) and 
^ 0} then increase by the multiplicative factor q^^^ whereas Var(^^) 
approximately increases by the same factor. The random variable Yn/n is more 
difficult to analyze, but it is clear that one may expect that the trees produced 
from achievable output segments by the basic probabilistic model are bigger 
in size about q~^ times up to level n than the ones produced by arbitrary, 
not necessarily achievable output segments. In particular, for n = r — M, the 
correction factor q~//j^ becomes significant if 2^(1 — < 1. 
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4.4 Time and Space Complexities 

As noted before, the time and space complexities of the tree construction process 
are given as T = ^ Yr-M/ii" — M) and S = max{l^_M}, where the sum and the 
maximum are both over all 2^ initial memory states. The analysis conducted 
above based on the theory of critical branching processes shows that the expected 
time complexity is about and that with high probability, under the 

reasonable independence assumption, 

T < + 2"^/' (r - M) 1/2 ySM-.V- (6) 

Note that the correction factor q~^j^ depends on r — M, M, and p, and for p > 0 
and large r — M satisfies q~lM — “ M)j2. The total number of obtained 

input segments of length r consistent with the given output segment of length 
r — M is K = Zr-M and has about the same expected value as T and the 
variance three times bigger. As a result, it satisfies a relation analogous to (0. 

However, the space complexity increases only linearly with M. This is a 
consequence of the exponential probability distribution (ITTI given in Theorem ^ 
in the Appendix. Namely, the expected number of levels in all 2^ trees of depth 
n with the number of nodes not smaller than nc is for large n very close to 



Z=1 



2 -2cTi./(g-^0 



< 2 ^ 



rr'i 2-^ ] 



( 7 ) 



where Yn=i ~ 0.577 + lnn, 0.577 approximating the Euler constant. On the 
condition that this number is not bigger than a given constant, it follows that c 
increases linearly with M . Hence, with high probability 

^ ^ 1_/0-M)(o) + O [M{r - M)3/2^p(1-/0-m)(o))-i^ (8) 

which for p > 0 and large r — M reduces to 

S < - M) + O {Mp{r - Mf) (9) 

where the multiplicative constant is relatively small (the first additive term is 
included to encompass the case when p = 0). Here, the bigger correction factor 
(i-/(’-^)(o))-i is used instead of because S is determined by the tree 

of the maximum size which very likely has full depth r — M, and at least one 
such tree is produced (the correct initial memory state). 

It is clear that, unlike the time and space complexities, the fraction of achie- 
vable output segments of any given length as well as the total number of input 
segmens consistent with a given output segment are both indepedent of whether 
the attack is applied in its forward (p = p+), backward (p = p_), or basic (p = 1) 
form. So, is only an approximation. It is reasonable to expect that the ap- 
proximation corresponding to the minimum of p+ and p_ is better, especially if 
this minimum is relatively small. 
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5 Experimental Results 

In this section, we present results obtained by systematic experimental analysis 
of various nonlinear filter generators. The shift register length chosen is r = 100 
which is sufficiently big to study the effect of a large tree depth r — M. The 
primitive feedback polynomial chosen is 1 + + x® + We study the 

filter functions, /, with n = 5 and n = 10 input variables, and for each / selected, 
two tap settings, 7 , are considered, one adjacent and the other corresponding to 
a full positive difference set, for n = 5, and to a random set, for n = 10 (since 
the memory size, M , would have been too large if we had chosen a full positive 
difference set for n = 10). The experimental results for each of the four cases 
are shown in Tables 1-4, respectively. In each case, we have randomly chosen 3 
filter functions / with different probabilities (p_|_,p_) = (0,0.5), (0.125,0.875), 
and (0.5, 0.5), and for each of them we have run the forward and backward 
generalized inversion attack as well as the forward basic generalized inversion 
attack attack for 50 randomly chosen LFSR initial states. 

The results shown are the average number of solutions for consistent input 
segments of length r per each initial memory state guessed (that is, K/2^ for 
the forward and backward attacks and K/2^'^^ for the basic one), the average 
time complexity of the tree construction process per each initial memory state 
guessed (that is, T /2^ for the forward and backward attacks and T /2^^^ for 
the basic one), the space complexity S, and the fraction of trees reaching the 
full depth r — M for all the attacks. Note that in the basic attacks the level 
r — M — 1 is not empty after checking for consistency if and only if the level 
r — M is not empty before checking for consistency. All the results are averaged 
over 50 randomly chosen LFSR initial states. 



Table 1. (r,n,M) = (100,5,4), 7 = {0, 1, 2, 3, 4}. 



p+ 


P- 


^Solutions 


Time 


Space 


Prob 


Attack 


0.000 


0.500 


1.000 


1.000 


96.0 


1.000 


Forward 






1.000 


1.000 


1294.9 


0.062 


Backward 






0.500 


1.000 


190.0 


0.500 


Basic Fwd 


0.125 


0.875 


25.156 


8.635 


2585.6 


0.464 


Forward 






25.156 


8.434 


6852.5 


0.160 


Backward 






12.578 


8.461 


4655.8 


0.256 


Basic Fwd 


0.500 


0.500 


92.946 


19.974 


9550.0 


0.185 


Forward 






92.946 


20.511 


7984.8 


0.305 


Backward 






46.473 


19.206 


17142.7 


0.123 


Basic Fwd 



Table 5 contains the probability for a tree to reach the full depth, to be 
compared with the ‘Prob’ column of Tables 1-4, the fraction of achievable output 
segments of required lengths, and the corresponding correction factor for the 
number of solutions and for the time complexity. All of them are computed 
according to the theory of critical branching processes. Each found consistent 
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Table 2. {r,n,M) = (100,5,15), 7 = {0, 1, 3, 7, 15}. 



p+ 


P- 


^Solutions 


Time 


Space 


Prob 


Attack 


0.000 


0.500 


1.000 


1.000 


85.0 


1.000 


Forward 






1.000 


1.000 


107017.1 


0.002 


Backward 






0.500 


1.000 


168.0 


0.500 


Basic Fwd 


0.125 


0.875 


4.544 


1.989 


4147.3 


0.254 


Forward 






4.544 


1.885 


841161.8 


0.000 


Backward 






2.272 


1.959 


7367.3 


0.129 


Basic Fwd 


0.500 


0.500 


2.088 


1.335 


17551.8 


0.025 


Forward 






2.088 


1.277 


76110.2 


0.003 


Backward 






1.044 


1.326 


30788.8 


0.013 


Basic Fwd 



Table 3. (r,n,M) = (100,10,9), 7 = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9}. 



P+ 


P- 


^Solutions 


Time 


Space 


Prob 


Attack 


0.000 


0.500 


1.000 


1.000 


91.0 


1.000 


Forward 






1.000 


1.000 


3808.6 


0.040 


Backward 






0.500 


1.000 


180.0 


0.500 


Basic Fwd 


0.125 


0.875 


2.198 


1.384 


1189.4 


0.211 


Forward 






2.198 


1.421 


7115.0 


0.029 


Backward 






1.099 


1.375 


2248.6 


0.108 


Basic Fwd 


0.500 


0.500 


2.534 


1.481 


3821.1 


0.058 


Forward 






2.534 


1.459 


3596.4 


0.067 


Backward 






1.267 


1.469 


7218.4 


0.031 


Basic Fwd 



Table 4. (r,n,M) = (100,10,15), 7 = {0, 2, 3, 6, 7, 9, 10, 11, 14, 15}. 



P+ 


P- 


^Solutions 


Time 


Space 


Prob 


Attack 


0.000 


0.500 


1.000 


1.000 


85.0 


1.000 


Forward 






1.000 


1.000 


11232.8 


0.028 


Backward 






0.500 


1.000 


168.0 


0.500 


Basic Fwd 


0.125 


0.875 


1.094 


1.035 


2891.5 


0.148 


Forward 






1.094 


1.038 


23706.4 


0.011 


Backward 






0.547 


1.034 


5310.7 


0.075 


Basic Fwd 


0.500 


0.500 


1.278 


1.120 


10627.5 


0.025 


Forward 






1.278 


1.103 


8975.3 


0.033 


Backward 






0.639 


1.119 


20008.2 


0.013 


Basic Fwd 
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input segment of length r was then tested on an additional segment of the 
keystream sequence (the final stage of the inversion attack). For each examined 
nonlinear filter generator and every chosen LFSR initial state, it turns out that 
exactly one input sequence is consistent with the given keystream sequence, as 
should be expected since the number of input variables n is relatively small 
compared to r. 



Table 5. Full depth probabilities. 





P 1 


(r,n,M) 


0.000 


0.125 


0.500 


0.875 


1.000 1 




1 _ /(’■-A^)(o) 


(100,5,4) 


1.000 


0.140 


0.039 


0.022 


0.020 


(100,5,15) 


1.000 


0.156 


0.043 


0.025 


0.022 


(100,10,9) 


1.000 


0.147 


0.041 


0.023 


0.021 


(100,10,15) 


1.000 


0.156 


0.043 


0.025 


0.022 




(}r — M 1 


(100,5,4) 


1.000 


0.911 


0.468 


0.303 


0.271 


(100,5,15) 


1.000 


1.000 


1.000 


1.000 


1.000 


(100,10,9) 


1.000 


1.000 


1.000 


1.000 


1.000 


(100,10,15) 


1.000 


1.000 


1.000 


1.000 


1.000 




1r-M 1 


(100,5,4) 


1.000 


1.098 


2.136 


3.300 


3.695 


(100,5,15) 


1.000 


1.000 


1.000 


1.000 


1.000 


(100,10,9) 


1.000 


1.000 


1.000 


1.000 


1.000 


(100,10,15) 


1.000 


1.000 


1.000 


1.000 


1.000 



The experimental results shown generally agree very well with the theory of 
critical branching processes. In fact, by comparing Tables 2 and 4, where the 
memory sizes are the same, but the numbers of input variables are different, one 
may conclude that the dependence induced by overlapping successive inputs to 
the filter function (Table 4) tends to reduce the size of the constructed trees. The 
tables show that the space complexity required is smaller if the attack is run in 
the direction corresponding to the minimum of p_|_ and , as predicted by the 
theory, but, interestingly, the time complexities are mutually close for both the 
directions. The time complexities are exactly the same if p-^. or p_ is equal to 
zero. As the total number of solutions is the same in each case for all the attacks, 
the normalized number of solutions is halved for the basic attacks. However, no 
general conclusion can be drawn as to whether the number of solutions and the 
time complexity are determined by the minimum or the maximum of and , 
see the ‘^Solutions’ and ‘Time’ columns of Tables 1 and 2. The trees produced 
by the basic generalized inversion attack are roughly twice as big (the ‘Time’ 
and ‘Space’ columns) as those produced by the generalized inversion attack in 
the same direction (for simplicity, only the basic attack in the forward direction 
is displayed). 
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To demonstrate the accordance with the theory, consider Tables 1 and 2, 
for example. The number of solutions (per initial memory state guessed, column 
‘^Solutions’) is bigger in Table 1 than in Table 2, because the number of possible 
initial memory states is much smaller, so that the variance becomes significant, 
see ( 0 , and because the correction factor is bigger than 1 for Table 1, unlike 
the other tables, see Table 5. The same holds for the time complexity (column 
‘Time’), except that the figures are smaller since the variance is smaller, see (jfil). 
The fact that the space complexity (column ‘Space’) is bigger in Table 2 than 
in Table 1 is also consistent with the theory, because the product M{r — M)^ is 
then bigger, see P) and (P- 

6 Conclusions 

The theory of critical branching processes is applied to analyze the time and 
space complexities of the generalized inversion attack on nonlinear filter gene- 
rators. Both theory and systematic experimental results obtained show that, 
perhaps surprisingly, almost regardless of the choice of the filter function, the 
attack has time complexity close to 2^, M being the input memory size, and 
requires relatively small additional storage. Consequently, the choice of the filter 
function that is linear in neither the first nor the last input variable is likely to 
spoil the output statistics, but does not prevent the inversion attack in its gene- 
ralized form. The inversion attack is infeasible if M is sufficiently large, provided 
that the tapping sequence is such that M cannot be reduced by the uniform de- 
cimation technique. The attack can also be applied to nonlinear filter generators 
with multiple outputs, where the theory of subcritical branching processes is 
expected to be useful. 

Appendix 

Critical Branching Processes 

Only the basic type of branching processes called the Galton-Watson proces- 
ses will be considered, see P, P- Such a branching process is a Markov chain 
on the nonnegative integers whose transition function is defined in 
terms of a given probability distribution The initial random variable 

Zq takes value 1 with probability 1 , and for any n > 1 , the random variable 
Zn conditioned on Zn-\ = i is the sum of i independent identically distribu- 
ted random variables with the probability distribution {pfcj^o (if * = Oj then 
Zn = 1). The process can be regarded as a random (finite or infinite) tree with 
Zn being the number of nodes at level n > 0, where the number of branches 
leaving any node in the tree is equal to k with probability pk, independently of 
other nodes at the same or previous levels. The generating function characteri- 
zing the probability distribution of Zn can be expressed as the self-composition 
of the generating function /(s) = of {pfc}^o> which is the probabi- 

lity distribution of Zi. Precisely, if /*-"qs), 0 < s < 1, denotes the generating 
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function of the probability distribution of and if = s, then for every 
n > 1, 

/W(,) = /(/("-D(s)). (10) 

The basic characteristic of a branching process is the expected number of 
branches leaving any node, that is, 

OO 

M = E{Zi) = (11) 

k=0 

A branching process is called subcritical, critical, or supercritical if /r < 1, ^ = 1, 
or /r > 1, respectively. The extinction probability defined as the probability of a 
tree being finite is 1 for subcritical and (perhaps unexpectedly) critical processes 
and smaller than 1 for supercritical processes. We are here only interested in 
critical processes, whose main properties are given by the following theorem, see 
HI. i Let (T^ = Var(Zi) be the variance of Zi. 

Theorem 1. In the critical case, p = 1, if > 0 (pi <1^ and < oo, then 
for any n> 1, 



E{Z^) = 1 ( 12 ) 

Var(Z„) = a^n (13) 

Pr{Z„ >0} = l-/(")(0) (14) 

Equation H I 411 implies that the extinction probability, lim„_>oo Pr{-^n > 0}, 
is equal to 1, while the rate of convergence is relatively slow. The variance grows 
linearly with n although the expected value remains equal to 1. 

It is also interesting to study the total number of nodes in a random tree up to 
level n, not counting the initial node, that is, the random variable 
for any n > 1. Its generating function satisfies a recursion which reduces to a 
functional equation with a unique solution if n — >■ oo, see 0. Its expected value 
follows trivially, while its variance can be determined after a certain manipula- 
tion. 

Theorem 2. In the critical case, p = 1, if cr^ > 0, then for any n > 1, 

E{Yn) = n (15) 

2 2 
Var(y„) = ^n(n-|- l)(2n-|- 1) -- 

Note that, although the extinction probability is 1, the expected value grows 
linearly with n and the variance increases as which is by a multiplicative factor 
n faster than what would hold if the random variables Zi were independent. 
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Another interesting random variables to be considered are and condi- 
tioned on the event {Zn > 0}. They are the number of nodes at level n and the 
total number of nodes up to level n, not counting the initial one, in a random tree 

reaching level n. The probability distribution of > 0} is simply obtained 

by dividing the probability distribution of by Pr{Z„ > 0}, see Theorem Q 
The limit distribution of Z„/n|{Z„ > 0} in the critical case has been characte- 
rized by Yaglom, see E, a By computing the expected value and variance, 
we can then formulate the following theorem. 

Theorem 3. In the critical case, ^ = 1, if 0 < < oo, then 

lim Pr/— > z\Zn > ol = , z>0, (17) 

rt->oo I n I 



E{Zn\Zn > 0 ) 



1 




(18) 



Var(Z„|Z„ > 0) 



1 / 2 /(")( 0 ) \ 
1-/W(0) l-/(")(0)y' 




(19) 



The probability distribution of the conditioned random variable Yn\{Zn > 0} 
is not treated in the standard books on branching processes like E E- 
Nevertheless, the previous theorems and the results regarding the conditioned 
random variable > 0} presented in E us to conclude that in the 

critical case, if(y„|Z„ > 0) = 0(n(l — = 0{a‘^n^) and Var(F„|Z„ > 

0) = 0(cr^n^(l — /^"H0))~^) = 0(tr^n‘*). 
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Abstract. Fail-stop signatures provide security for a sender against a 
forger with unlimited computational power. In this paper we present 
a fail-stop signature scheme based on discrete logarithm problem for 
elliptic curves and then show that the signing process can be distributed 
among a group of senders to obtain a threshold signature scheme. The 
threshold signature scheme has a cheater detection property and allows 
the combiner to detect a sender who is submitting false shares. We will 
show that our fail-stop signature scheme works in the two commonly 
used models of signature schemes, with or without a trusted authority. 



1 Introduction 

Digital signature schemes are the most important cryptographic primitive for 
providing authentication in an electronic world. Digital signatures, introduced 
in the pioneering paper of Difhe and Heilman [Z] , allow a signer with a secret key 
to sign messages such that anyone with access to the corresponding public key 
be able to verify authenticity of the message. A digital signature scheme uses 
an instance of a hard mathematical problem as the basis of its claimed security. 
This means that the security is in computational sense and an enemy with un- 
limited resources can always forge the signature by solving underlying instance 
of the problem. To ensure security, parameters of the instances are chosen such 
that solving the instance of the problem would be beyond the computational 
means of the prospective attacker. A classical digital signature scheme has the 
disadvantage that there is no mechanism in the signature scheme to protect the 
signer against possible forgeries; that is if a signed message passes the verifi- 
cation test then it is assumed to be generated by the owner of the secret key. 
This effectively means that an all powerful enemy can always succeed in forging 
signatures. 

To protect against this attack, fail-stop signatures (FSS) are proposed iH 
MM- In a fail-stop signature, in the case of forgery, the presumed signer is 

* This work is in part supported by Australian Research Council Grant Number 
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able to prove that a forgery has happened. This is done by showing that the 
underlying intractability assumption of the system is broken. The system will 
be stopped at this stage- hence the name fail-stop. In this way, a polynomially 
bounded signer is protected against a forger with an unlimited computational 
power. A fail-stop signature scheme is a one-time digital signature that can be 
used for signing a single message for a specified secret and public key. However 
there are ways of extending the scheme to work for multiple messages 
[p. Fail-stop signature schemes can be made much more efficient if there is a 
single recipient HSCZ). This is a common requirement in applications such as 
electronic payment where the bank is the sole recipient. 

In a fail-stop signature scheme the sender and the receivers are all polyno- 
mially bounded, whereas the enemy has an unlimited computing power 

EH]. 

1.1 Previous Works 

As noted in PESES!, fail-stop signature schemes exist if computing discrete 
logarithms or factoring large integers is hard. The first general construction of 
fail-stop signature uses a one-time signature scheme (similar to and 
requires messages to be signed bit by bit. This construction is not efficient. 

In [II 4J an efficient construction for a fail-stop signature for a single recipient 
model, that is the bank in an on-line payment system, is proposed. The main 
drawback of this system is that it does not allow public verification. Signature 
generation is a 3-round protocol between the signer and the recipient and so is 
expensive in terms of communication. 

In [EO], an efficient fail-stop signature scheme based on discrete logarithm, 
with public verification, is presented. The underlying intractability assumption 
for the scheme is that the discrete logarithm problem is difficult. In the case 
of dispute, the presumed signer can solve the instance of discrete logarithm 
problem, and prove that the underlying assumption does not hold. 

In [L!5J . fail-stop signature schemes using ’bundling homomorphism’ are pro- 
posed. This is a generalisation of m but has a more complicated key exchange 
phase. The proof of forgery is done by the presumed signer by presenting two dif- 
ferent signatures, the forged one and the one generated by the valid signer, and 
the proof-test is by showing that the two signatures collide under the ’bundling 
homomorphism’. A special case of this construction uses difficulty of factoring 
as the underlying assumption of the system. 

The existence condition for fail-stop signature schemes is recently relaxed |E] 
EITEH] and it is shown that a fail-stop signature scheme only exists if one-way 
permutations exist. 



1.2 Our Contributions 

In this paper, we propose a fail-stop signature scheme based on discrete logarithm 
problem over elliptic curves. For more information on elliptic curve, we refer the 
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reader to m- The construction is essentially the same as the one given in 
but it has the added key efficiency advantage of elliptic curve cryptosystems. 
We describe our scheme in a model where a centre that is trusted by all the 
recipients is present. This is similar to the model given in However we 

show that the role of the centre can be played by any of the recipients, hence 
resulting in a system with a single recipient. We show that the scheme can be 
transformed into a (t, n) threshold signature scheme where signature generation 
requires collaboration of t senders |23E). 

The proposed scheme allows detection of cheaters during the share submission 
phase and so protects against a sender submitting junk instead of valid shares 
in an attempt to disrupt the system operation. 

The paper is organised as follows. In the next section, we present the basic 
concepts and definitions of fail-stop signature schemes and introduce the notati- 
ons that are used throughout the rest of the paper. In section 3, we present our 
fail-stop signature scheme and in section 4, we extend it to a fail-stop threshold 
signature scheme. Section 5 concludes the paper. 

2 Preliminaries 

We briefly review the definition and requirements of fail-stop signatures and refer 
the reader to PIT^ for a more complete account. 

A fail-stop signature scheme, similar to an ordinary digital signature scheme, 
consists of two procedures for generation and verification of signatures: 

1. Sign: algorithm for signing messages, 

2. Verify: algorithm for verifying signatures. 

It also includes two more algorithms: 

3. Prove: algorithm for proving a forgery, 

4. Proof-test: algorithm for testing the proof of forgery. 

A secure fail-stop signature scheme must satisfy the following properties mni 

DS] 

1. If the signer signs a message, the recipient can verify the signature. 

2. A polynomially bounded forger cannot create forged signatures that succes- 
sfully pass the verification test. 

3. When a forger with an unlimited computational power succeeds in forging a 
signature that passes the verification test, the presumed signer can construct 
a proof of forgery and convince a third party that a forgery has occurred. 

4. A polynomially bounded signer cannot create a signature that he can later 
prove to be a forgery. 

To achieve the above properties, for each public key, there must exist many 
matching secret keys such that different secret keys create different signatures 
on the same message. The real signer knows only one of the secret keys, and can 
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construct one of the many possible signatures on a given message. However an 
enemy with unlimited computing power, although can generate all the signatures 
but cannot determine which one will be used by the signer. Thus, it would be 
possible for the signer to provide a proof of forgery by generating a second 
signature on the message with a forged signature, and use the two signatures to 
break the underlying assumption of the scheme, hence proving the forgery. 

To show security of a fail-stop signature inn!’ it suffices to prove the follo- 
wing properties. 

1. There exists a probabilistic polynomial time algorithm proof that takes a pair 
of secret and public key, a message and a forged signature for that message, 
and outputs a proof of forgery. 

2. An enemy with unlimited computing power who knows the public key of the 
signer and his/her signature on a message, cannot find the secret key of the 
signer. Thus, he/she would not be able to construct signer’s signature on a 
new message. 

3. A polynomially bounded signer cannot construct a valid signature on a mes- 
sage, and later prove that it is a forgery. 

These properties show that fail-stop signatures are unconditionally secure for 
the signer (first two requirements), and computationally secure for the recipient 
(third requirement). 

Fail-stop signatures schemes are studied in two different model, where the 
main difference between the models is the existence of a centre (or a dealer) 
which is trusted by the recipients. The fail-stop signature schemes with a trusted 
centre, for example izbibl . allow public verification and use a two-party protocol 
between the signer and the centre to generate the required keys. 

This is to ensure that the signer cannot later deny his own signature and 
provide a proof of forgery for it. Fail-stop signature schemes without trusted 
centre, for example 1251 . are obtained by allowing every recipient to act as a 
centre. This results in a more efficient key exchange at the expense of loosing 
public verifiability property for the signature. 

Elliptic Curves 

Elliptic curve cryptosystems have attracted much attention in recent years 
because of the relatively small size of keys they require. An elliptic curve over 
GF(p) is the set of points {x,y) with G GF(p) satisfying the equation 



together with a special element denoted O and called the point at infinity. Ad- 
dition operation on the points of an elliptic curve can be defined that makes it 
into an abelian group. For more precise definition of addition operation, we refer 
the reader to M- 

Let Ep{a,b) denotes an elliptic curve of the form 



y 



,2 



+ ax + b 



y 



,2 



x^ + ax + b mod p 



Fail-Stop Threshold Signature Schemes Based on Elliptic Curves 107 



where p is a prime number, + ax + h = Q mod p does not have multiple roots, 
and 4a^ -I- 275^ ^ 0 mod p. 

=f^Ep{a,b) denotes the order of Ep{a,b) and can be calculated in polynomial 

and combination of 



sEisinii 



time using algorithms such as School’s algorithm 
School’s algorithm with Shanks’ baby-step giant-step algorithm p]. 

Definition 1. An elliptic curve discrete logarithm problem (ECDL) is de- 
fined as follows. Let a € Ep{a, b) be a point of order q, and let (3 = da. Given a 
and (3, determine the unique integer d, where 0 < d < q. 



ECDL is intractable if the curve is well-chosen. In particular it is an easy 
problem for supersingular and anomalous curves. 



3 A Fail Stop Signature Scheme Based on Elliptic Curves 

3.1 Model 

Our model is similar to p]. In this model, there is a centre, T> who is trusted 
by the recipients (and not necessarily by the sender), who sets up the system, 
but is not involved in signature generation or verification. There is a sender, S, 
who has a secret key. A recipient can verify a signature by using the sender’s 
public key. In the case of dispute, the sender can prove that he can solve ECDL 
problem. 

3.2 Scheme 
System Setup 

1. T> chooses an elliptic curve such that q = ffEp{a,b) is also prime. 

2. V randomly chooses a point a G Ep{a,b), and a number d G GF{q). 
He calculates (3 = da over Ep{a,b) and discards d. Finally he publishes 
{Ep{a,b),q,a,/3). 

A simple algorithm to find such a curve is to randomly select a curve, find 
its order, discard the curve if the order is non-prime and repeat the process. It 
is conjectured that this type of curve can be obtained in 0(\jlog p) p]. 

Sender’s Key Generation 

1. S checks to see if a and (3 belong to Ep{a, b). If not, reject the public para- 
meters. 

2. If the public parameters are accepted, S chooses a 4-tuple, (/ci, fe, fca, ^ 4 ), 
ki G GF{q), 1 < f < 4, as his secret key. 

3. S computes 

ai = k^a k I j3 over Ep{a, b) 

02 = k/^a k 2 f3 over Ep{a, b) 
and publishes ( 01 , 02 ) as his public key. 
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Message Signing 

To generate the signature for a message M S GF{q), S computes 



Si = k\M + /c2 mod q 



S2 = k^M + ki mod q 



and publishes (si,S 2 ) as his signature on M. 

Verification 

A recipient can verify validity of a signature by testing testing the following 
equality. 



Proof of Forgery 

In the case of forgery, where a forged signature, namely (s'l, s^ passes the ve- 
rification test, the presumed signer S can provide a proof of forgery by executing 
several steps: 

1. Construct his own signature, (si,S 2 ), on M. 

2. Compute d = mod q, and use this value as the proof of forgery. 

Si S 

Theorem 1 . If there is a forged signature that passes the verification test, the 
sender is able to solve ECDL problem. 

Proof. Suppose there exists a forged signature, (s'l, S 2 ), on a single message M, 
that passes the verification test. The presumed sender produces his own signa- 
ture, (si,S 2 ), which also passes the verification test. In this case, the following 
two equations hold: 




S2Q! -I- si /3 = Mai + 0.2 over Ep{a, b) 



and 



S2Q! -I- s'il 3 = Mai + 0^2 over Ep{a, b) 



Thus, 



S2Q; -I- siP = s'^a P s'lfi over Ep{a, b) 
S2a — S2CX = s\j 3 — sifd over Ep{a, b) 
(s2 — S2)a = (si — si)P over Ep{a, b) 



= (si — si)da over Ep{a, b) 
(s 2 — S 2 ) = (s'l — si)c? mod q 

d = ^ — mod q 

s'l - Si 



( 1 ) 

( 2 ) 

( 3 ) 



The correctness of deriving equation |3 from E] is ensured by the following 
lemmas. 
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Lemma 1. Any elliptic curve Ep{a,b), where q = ^Ep(a,b) is also 

prime, forms a cyclic group, which is isomorphic to GF{q). Thus, any point 
other than the point at infinity is a generator of Ep(a,b). 

Lemma 2. If there is an equation of the form, 

cj = aj + Iry 

over a curve Ep{a,b) where a,b,c€ GF{q) and 7 € Ep(a,b), and q = ffEp{a,b) 
is prime, then we have 

c = a + b mod q 

3.3 Security Considerations 

Lemma 3. There are q^ equally likely secret keys that match with the sender’s 
public key. 

Theorem 2. An enemy with unlimited computational power, knowing the public 
key of S and the signature on a message M, can calculate q possible secret keys 
that could have been used for signing the message. 

Theorem 3. The signer can prove a forgery with probability = . 

Corollary 1. An enemy with unlimited computational power cannot compute 
the signer’s signature on a new message. 

Theorem 4. A computationally bounded signer cannot make signatures which 
he can later prove to be forgeries. 

Theorem]^ 1^^ show that the proposed scheme satisfies all the requirements 
of fail-stop signatures mentioned in section 2. 

Note that the secret key is a one-time key. If two different messages are signed 
using the same secret key, the secret key can be uniquely determined. 

3.4 Signing Multiple Messages 

In order to sign multiple messages, the approaches from m can be followed. 
However, this results growth exponentially in the number of keys. A recently 
proposed method of converting a one-time fail-stop signature to sign multiple 
messages by using accumulator (Q). This method can be used in our scheme to 
enable signing multiple long messages, by choosing an accumulator (as in 

□ )• 



3.5 Second Model of Fail Stop Signatures 

The fail-stop signature proposed above can be used in the second model of FSS 
signatures, that is without a trusted party IZH. by allowing a recipient to play 
the role of the trusted party and hold the value d, secret from the sender. In this 
case the system set-up phase in section |T2| will be performed by the recipient. 
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4 Fail-Stop Threshold Signature with Cheater Detection 

4.1 Preliminaries 

In a conventional (t, n) threshold signature scheme, there are n senders in which 
t of them must collaborate to generate a valid signature i'ZcM'zi . 

In a fail-stop threshold signature, signature generation is similar to a conven- 
tional threshold signature, but in the case of a forged signature, senders are able 
to provide a proof of forgery. In the following we describe a fail-stop threshold 
signature scheme which is based on the FSS scheme given above. It has been 
equipped with cheater detection property to protect against participants sending 
false shares. 



4.2 Model 

Our model follows the construction as in jzoiDil . There is a group of n senders, G = 
Si, S 2 , ■ ■ ■ , Sn, a group coordinator TZ, and a combiner C, who is only trusted in 
combining partial signatures, and a centre T> that is trusted by all the recipients. 
Neither T> nor TZ are involved in signature generation. In case of dispute, senders 
can provide a proof of forgery by solving the ECDL problem. 

As in the previous section, this model can be modified without having a 
centre T>, without changing any other setting and steps. Thus, it follows the 
model introduced in Eni- 



4.3 Signature Scheme 
Initialisation 

Initialisation consists of two steps, 

1. System Setup 

2. Group Coordinator’s Setup 

System Setup 

1. T> chooses an elliptic curve Ep{a,b) such that q = ^Ep{a,b) is also prime. 

2. I) randomly chooses a point a G Ep{a,b), and a number d G GF{q). 
He calculates f3 = da over Ep{a, b) and discards d. Finally, he publishes 
{Ep{a,b),q,a,/3). 



Group Coordinator’s Setup 

TZ does the following. 

1. Verify whether {a, /3) is correctly located in Ep{a, b). If not reject the public 
parameters. 
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2 . Randomly choose 4 non-zero elements of GF{q), /ci, /c2, fca, A4, ki G GF{q), 
and compute 

«i = k^a + k\ (3 over Ep{a, b) 

«2 = k4a + k2 /3 over Ep(a, b) 

Publish (ai,of2)- 

3 . Randomly choose n non-zero elements of GE{q), Ii, I2, ■ ■ ■ , In, and publish 
them as identities of Si, - ■■ Sn- 

4 . Randomly choose 4 (t — 1 ) elements of GE{q), aip, 01^2, 01,3, oi,4, • • • , Ot-ip, 

at_i^2, and calculate 



t-i 

e/,i = ki + cLj^ili mod q ^ <l <n, l<i<4 
i=i 

5. Randomly choose 4n non-zero elements of GE{q), 61,1, 61^2, &i,3j &i,4, • • • j bn,i, 
bn, 2 ,bn^ 3 ,bn, 4 , and another value A G GE{q). Calculate 

fi,j = Cij + Xbij mod q l<j<4 

and secretly send {eij, bij), 1 < j < 4, to S'i, 1 < z < n. 

6. Secretly send A and fij, 1 < z < n, 1 < j < 4, to C. 

Share Pooling 

Without losing generality, assume that t participants in Q, denote by Si, - St, 
agree to sign a non-zero message M G GF{q). Each participant Si calculates 
his partial signature as follows 




j — f 5 2 , 3,4 



Then he computes 

cTi,i = VipM -I- Vi, 2 mod q 
CTi,2 = Vi,3M -I- Vi, 4 mod q 
Ki,i = (6j,iM -I- 6i,2)pi mod q 
Ki,2 = ih,3M + &i,4)Pi mod q 



and sends (pi, CTi,i, <Ti,2, Ki,i, Hi,2, M) to the combiner C. 
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Share Verification by the Combiner 

On receiving a share from Si, C can verify the share by checking whether 

? 

fi,iPiM + fi^2Pi = c^i,i + AKi,i mod q 

and 

? 

fi, 3 PiM + fi^ 4 pi = Ui^2 + AKi,2 mod q 

If the above equations do not hold the partial signature is rejected, otherwise it 
is accepted. 

Message Signing 

After C accepts the shares from Si, where 1 < i < t, she can construct the 
signature by calculating 

t 

51 = (Ji i mod q 

i=l 

t 

52 = ^ (Ji,2 mod q 

i=l 

and publishes (si, S2) as a threshold signature on message M. 

Signature Verification 

The group’s signature (si,S2) can be verified by checking 

7 

82a + si /3 = Mai + ol 2 over Ep{a, b) 



Proof of Forgery 

In case of dispute, when a forged signature (s'i,S2) passes the verification 
test, any t participants in Q can execute the above scheme to generate their 
own signature on the same message, namely (si,S2). Since both (si,S2) and 
(s'i,S2) pass signature verification, the participants are able to solve ECDL by 
calculating 

d = ^ mod q 

s'l - Si 

and use this value as a proof of forgery. 



4.4 Fail-Stop Multisignature Scheme 

A multisignature scheme [ CETj can be viewed as an (n, n) threshold scheme and 
hence by appropriate choice of parameters, the proposed threshold scheme can 
be easily turned into a multisignature scheme. 
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5 Conclusions 

Fail-stop signatures have the desirable property that forgery can be proved and 
hence the signer is protected against an all powerful forger. In this paper, we 
propose a fail-stop signature scheme based on elliptic curves. The scheme is es- 
sentially the same as the one proposed but replaces the original verification 
process on the cyclic group generated by a generator of GF(p) with the cyclic 
group generated by a point on a suitably chosen elliptic curve. The main advan- 
tage of it being lowering the size of the prime. We used the scheme to construct 
a fail-stop threshold signature scheme, where collaboration of t participants in 
a group is needed to sign a message. Our scheme has cheater detection property 
and hence provide against senders trying to disrupt the scheme by sending junk 
instead of valid partial signatures. 
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APPENDIX 



Proof of Lemma 2: 

Proof. According to lemma P every point on Ep{a, b), including 7, is a generator 
of the group and has order q, where q = ffEp{a, b). The lemma follows from the 
basic property of the cyclic group generated by 7. 

Proof of Lemma El 

Proof. Knowing a public key (01,02)) gives the following two equations: (over 
Ep{a,b)) 



01 = k^a -\- ki/3 

02 = k^a -\- /C2/3 



Since /3 = da, we have: 



Oi = k^a -\- k\da 
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= kj^a + k2da 



or 

= (^3 + k\d)a 
«2 = (^4 + k2d)a 

Solving the ECDL problem we have: 



fca + kid = Cl mod q 



ki + k2d = C2 mod q 
where ci,C2 € GF{q). Equivalently, 

(ki\ 

/d 010 \ k2 
VOdOlj k^ 

\ki) 

This is a set of 2 linear equations in 4 unknowns where the rank of the 
coefficient matrix is equal to 2 . Hence there are q^ solutions corresponding to 
assigning arbitrary values {mod q) to k^ and fc4 {q^ possibilities), and calculating 
the values of fci and k2- 



mod q 



( 4 ) 



Proof of Theorem 

Proof. Knowing the public key. 



tti = k^a + kil3 
«2 = ki^a + k2^ 

and the signature on M , namely 

51 = k\M + /c2 mod q 

52 = k^M + ki mod q 

the enemy with unlimited power can solve the ECDL problem and rewrite these 
equations as follows 



Cl = ^3 + dki mod q 
C2 = k4 + dk2 mod q 
s'l = k\M + k2 mod q 
s'2 = k^M + fc4 mod q 
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where Ci,C 2 G GF{q) and (si,sy is an acceptable signature on x. Next, he can 
rewrite these equations as follows 



/ d 0 1 0\ 


/kA 




/ci\ 


0 d 0 1 


k2 




C2 


M 1 0 0 


h 




■s'l 


\ 0 0 Ml) 






V2) 



It is easy to see that this matrix has rank 3 (This is true because dra — T 2 — 
Mri+T 4 = 0, where is the row of the matrix, and noting that the submatrix 
consisting of the first 3 columns has 3 independent rows), and so there are exactly 
q solutions to this equation. 

Proof of Theorem 0 

Proof. Given a forged signature that passes the verification test, the presumed 
signer can generate a different signature which passes the verification test with 
probability where q is the number of possible signatures on a message (this 
can be seen from the Theorem 0 ■ 

Proof of Corollary ^ 

Proof. The proof can be deduced from Theorem 0 

Proof of Theorem ^ 

Proof. To be able to deny a signature, the signer must find another secret key 
that matches with his public key. This requires that he finds {k[, ^3, ^4) that 

satisfy 

01 = fcfjO + k'lP over Ep{a, b) 

02 = k'^a + k '213 over Ep{a, b) 

for the published value (oi , 02 ) , which because of the hardness of ECDL problem, 
is hard. 
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Abstract. A divertible protocol is a protocol between three parties in 
which one party is able to divert another party’s proof of some facts 
to prove some other facts to the other party. This paper presents a di- 
vertible protocol to prove multi-variant polynomial relations. Its direct 
application to blind group signature is also shown. 



1 Introduction 

1.1 Divertible Proofs 

A divertible proof is a protocol between three parties in which one party is able 
to divert another party’s proof of some facts to prove some other facts to the 
other party. These three parties are usually referred to as the intermediate, the 
prover and the verifier. The notion of divertible protocol was first introduced 
by Desmedt, Goutier and Bengio in It plays a significant role in cryptogra- 
phic research both negatively and positively. The first well-known application 
of divertible protocols is the so-called Mafia fraud. In this scenario, Vera could 
possibly identify herself as Alice to Bob by simply acting as the intermediate 
between Alice (the prover) and Bob (the verifier). This problem was identified in 
1^. However, divertible protocols also have positive applications. The first is to 
prevent subliminal channel. The concept of subliminal channel was introduced 
by Simmons |ni . Basically, a subliminal channel allows two parties to exchange 
secret information in the full view of another party by hiding the information in 
some “innocent-looking” communication. However the third party is not able to 
detect the existence of the exchange. Using divertible protocols, the third party 
could prevent the subliminal channel by diverting the communication between 
the other two parties so that they can still receive the legitimate communication 
but would not be able to receive their secret information. Blind signature is ano- 
ther practical application of divertible protocols. A blind signature is defined as 
a protocol between a signer and a verifier such that as a result of the protocol 
execution, the receiver gets a signature from the signer while the signer obtains 
no substantial information about the signature. Blind signature was initially pro- 
posed for the purpose of electronic cash by Chaum0. Ohta and OkamotoflT^ 
were the first to suggest how divertible protocols are can be used to construct 
blind signatures. 
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1.2 Group Signature 

A group signature scheme is a protocol that allows any member of a group to 
sign on the behalf of the group while it is infeasible for anyone who is not a 
group member to sign on the behalf of the group. Signatures are verified using 
a single group public key. It is also infeasible to identify the signer for a given 
signature or to determine whether two signatures are signed by the same group 
member. In group signature schemes, there exists a group manager who can 
identify the member who issues the signature for any given signature. Group 
signature was first proposed by Chaum^. Several improvements and extensions 
have been proposed in [(ill) . In all these proposals, the size of a signature is 
linearly dependent on the size of the group. Recently, Camenisch and Stadler 
proposed the first two fixed size group signature schemes 0. Their signatures 
are based on non-interactive proofs of the possession of a valid membership 
certificate. 

1.3 Our Contribution 

In this paper, we present a divertible zero-knowledge proof of polynomial relati- 
ons. We then show how to construct a blind version of one of Camenish-Stadler 
group signatures using our divertible protocol. Even though zero-knowledge 
proof of polynomial relations are already given in mn, making them to be 
divertible is not an easy task. Unlike normal divertible protocols where the com- 
mitments of facts seen by both the prover and the verifier can be the same, a 
divertible proof of polynomial relations requires the commitments of the facts 
seen by the prover and the verifier to be different. In fact, they have to be 
witness-indistinguishable. This is required to achieve signature unlinkability in 
the corresponding blind group signatures. 

The rest of this paper is organized as follows: Section 2 presents divertible 
proofs of knowledge of secrets, proofs of addition and multiplication relations. 
They are used as building blocks in the general construction of a divertible proof 
of polynomial relations, which is presented in Section 3. Finally, section 4 shows 
how a blind Camenish-Stadler group signature is constructed using the divertible 
proof of polynomial relations. 

2 Preliminaries 

Let Alice be the prover, Vera be the intermediate and Bob be the verifier. Also 
let g and h be members of the multiplicative group of order n over a finite field 
[0, ..,p — 1], where p is a prime number such that logg{h) is not known to both 
Alice and Vera. For simplicity, all computations in this section are computed 
modulo p, unless explicitly mentioned. 

We now give the realization of a commitment scheme, a basic protocol, an 
addition protocol and a multiplication protocol. The basic protocol is a diver- 
tible proof of knowledge of secret. The addition protocol is a divertible proof 
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of the addition relation and the multiplication protocol is a divertible proof of 
the multiplication relation between secrets concealed in the involved commit- 
ments. These three protocols are used in the realization of our divertible proof 
of polynomial relation. 



2.1 A Commitment Scheme 

A commitment of a value x in is constructed as s = g^hT , where r is a random 
number. It reveals no information about the secret x while it is infeasible for the 
sender to open the commitment without the knowledge of logg{h) (Lemma 1 ). 
The commitment is opened by revealing a;, r. This commitment scheme is well- 
known and was first introduced in [1 .IIJ 

Lemma 1. Assuming that logg(h) is not known, it is infeasible to know more 
than one 2 -tuple (x,r) such that g^h^ = s for any constant s. 

Proof. To prove the lemma, we show that the knowledge of any two different 
2 -tuples {xi,rx) and (x2,r2) that satisfy g^^h'^^ = = s, is equivalent to 

the knowledge of logg(h). 

Given logg{h), we choose a 2 -tuple (xi,ri) at random and form X2 = x\ -\- 
logg{h) and r2 = ri — 1 . Then the two 2 -tuples (a;i,ri) and (x2,r2) are clearly 
different, satisfying: 






On the other hand, given any two different 2 -tuples (a;i,ri) and {x2,r2), 
satisfying g^^h^^ = g^'^h'^^, we have: 



1 = 



{g^^h^^) 



^ gXi-x^^r,-r.2 



This implies logg{h) = —{xi — X2){ri — r2) ^ mod n. Here (ri — r2) yf 0 because 
the 2 -tuples (a;i,ri) and {x2,r2) are different. Therefore the lemma follows. 



2.2 Basic Protocol 

Setting: Alice has a commitment s = g^h^ . Vera has a commitment a for which 
she knows p such that cr = sh^ . Here Vera knows neither the value of x nor the 
value of r. 



Objective: The basic protocol is a zero-knowledge protocol in which Vera diverts 
Alice’s proof of secrets for the commitment s to prove to Bob the knowledge of 
secrets for the commitment cr. 
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Basic Protocol: The protocol is described in figure 1. 



Alice 


Vera 


Bob 


(x,r,s = g^h'^) 


{p,a = shP) 


Y) 


u,v €r Z„ 
w = g^K" 

W 


■> 




c 

< 

a = u — cx mod n 
b = V — cr mod n 

a,b 


Av, A, p CzR Zj, 

(jj = w'^g^hP 

<- 

c= ^ 

n 

-)■ 


CO 

^ 

7 

7 




w = s’^g'^h^ 
a = OK + \ 

(3 = bn — + p 


a,/3 

^a/j/3^7 = UJ 


VAUce = {x, r, s, w, c, a, b} 




VBob = {(J,w, 7 , a,/3} 



Figure 1: Divertible Proof of Knowledge 

Lemma 2. (Completeness) If Alice and Vera follow the protocol, Bob always 
accepts the proof. 

Proof As a = shP, 7 = ck and s = g^h\ we have g^h^a^ = 

s'lh'^P = gA^-cx)+Xj^K{v-cr)+p. gXCKj^rcK ^ i^g'^h'^Yg^hP = w’^g^hP = OJ 

Lemma 3. (Soundness) The basic protocol convinces Bob of the knowledge of 
secret concealed in the commitment a with an overwhelming probability. 

Proof. First observe that in order to convince Bob, Vera must be able to respond 
correctly to at least one challenge 7 . On the other hand, if Vera can answer two 
different challenges 71,72 correctly, then we have g°'^h^^a'^^ = = u>, 

where ai,(3i is Vera’s response for challenge 7 ^ {i = 1,2). This implies 1 = 
g“i-“2/idi-/32|j7i-72^ As 7 i Y 72 , we have a = ^ j Vera 

is able to prove the secrets of commitment uj. Thus the scenario, where Vera 
convinces Bob of the knowledge of secret of co while having no access to the 
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secret of w, only occurs when Vera is able to respond correctly to one challenge; 
this happens to be the same challenge 7 from Bob. As 7 is chosen at random by 
Bob, this happens with 1/n probability. Hence, the basic protocol convinces Bob 
the knowledge of secrets of commitment a with an overwhelming probability of 
(1-1/n). 

Lemma 4. (Witness-Indistinguishable) For any instance of the protocol 
run, Alice’s view (Vaucb) and Bob’s view (Vsob) of the protocol is statistically 
independent. 

Proof. To show that Vahcb and VBob of the same instance of the protocol is 
statistically independent, we show that there exists a legitimate instance S of the 
protoclfor any Vahcb = {xi,ri, si,wi, ci, ai,bi} and Vsob = {ct 2, W2, 72, 02, /?2}- 
Here Vaucb and Ysob do not necessarily come from the same instance of the 
protocol. 

To prove that S is legitimate, we show that there exists p, k, A, p, that satisfy 



(72 = Sih^ 


(1) 


ix>2 = wfg^h^ 


(2) 


72 = CiK 


(3) 


a2 = a\K + X 


(4) 


P 2 = biK -J 2 P + P 


(5) 



As CT2, Si, 72, Cl are known, there exists unique p, n that satisfy (1) and (3). 
Moreover as 02 = OiK -I- A, there exists an unique legitimate A satisfying (4). 
Similarly, there also exists a unique legitimate p that satisfies (5). Hence there 
exists a unique tuple {p, k, A, p} that satisfies (1), (3), (4) and (5). Now we show 
that this tuple also satisfies (2). 

Because Vaucb and VBob are legitimate, we have wi = s’’ig°'^h}’^ and LO2 = 
Thus UJ2 = gCi>^pp'y2 = 

g^h^ = w’^g^h^, i.e, {p,n,X,p} satisfies (2). 



2.3 Addition 

Setting: Alice has three commitments Si = g’^^h’’' {i = 1,2,3) that satisfy xs = 
axi + bx2 mod n. Vera has three commitments cti (i = 1,2,3) for which she 
knows Pi (i = 1, 2, 3) such that = Sih^K Here Vera knows neither the value of 
Xi nor the value of (i = 1, 2, 3). 

Action: Addition protocol is a zero-knowledge protocol in which Vera diverts 
Alice’s proof of addition relation x^ = ax\ + bx2 mod n of the secrets X\,X2, X3 
concealed in si, S2, S3 to prove to Bob the relation X3 = ax\ + bx2 mod n of the 
secrets xi,X2,xs concealed in the commitments cri,CT2,CT3. Here a,b are some 
public constants. This protocol only demonstrates the addition relation. It does 
not prove the knowledge of the concealed secrets. 
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Addition Protocol 



Alice 


Vera 


Bob 


II 


(pi,ai = shP') 


(cti, (72, CTg) 


for {i = 1 , 2 , 3) 


(*=1,2,3) 




r = r^ — ari — 6 x 2 mod n 


r 

— ^ 

p = r -I ps - api - bp2 


CTg = afal^hP 



Figure 2 Divertible Proof of Addition Relation 

Lemma 5. (Completeness) If Alice and Vera follow the protocol, Boh always 
accepts the proof. 

Proof We have cr?crS/i^ = „^^i+b^ 2 har^+br^+ap^+bp^+p because of a, = shP' = 
g-ih^i+Pi (i = 1,2,3). 

Also p = r + p3 — api — bp2 = r^ — ar\ — br2 — api — bp2 and X3 = axi + bx2, 
hence we have gO'^l+b^2f^ar^+br^+ap^+bp2+p ^ gx^f^rs ^ ^rg. 

Lemma 6. (Soundness) If = aiCf 2 hP holds, Bob is convinced with an over- 
whelming probability that the addition relation between secrets holds. 

Proof. The addition protocol does not prove the knowledge of secrets; it only 
proves the addition relation. Assume that ai is a commitment computed as 
g^'h^' {i = 1,2,3). Then according to Lemma 1, erg = ui 172 / 1 ^ holds only when 
two 2-tuples (xg,rg) and (xi X 2 ,r\ -\-r 2 -\- p) are identical. Thus CTg = <Jia 2 hP 
demonstrates the addition relation xg = xi -I-X 2 , where Xi is the secret concealed 
in the commitment Ui. 

Lemma 7. (Witness-Indistinguishable) For any instance of the protocol 
run, Alice’s view and Bob’s view of the protocol are statistically independent. 

Proof. Given an Alice’s view and a Bob’s view, it is straightforward to prove 
the existence of a legitimate instance of the addition protocol using a technique 
similar to the one given in the proof part of Lemma 4. Here the views do not 
necessarily come from the same instance. Thus addition protocol is witness- 
indistinguishable . 

2.4 Multiplication Protocol 

Setting: Alice has three commitments Si = g’”*h’’' {i = 1,2,3) that satisfy xg = 
X 1 X 2 mod n. Vera has three commitments at {i = 1, 2, 3) for which she knows pi 
{i = 1, 2, 3) such that ai = Sih^' . Here Vera knows neither the value of Xi nor 
(z= 1,2,3). 
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Action: Multiplication protocol is a zero-knowledge protocol in which Vera di- 
verts Alice’s proof of multiplication relation = X\X2 mod n of the secrets 
xi,X2,X‘i concealed in si,S2,'S3 to prove to Bob the multiplication = 2:12:2 mod n 
of the secrets 2:1, X2, x^ concealed in the commitments ui, (T2, cr^. 




Figure 3 Divertible Proof of Multiplication Relation 



Lemma 8. (Completeness) If Alice and Vera follow the protocol, Bob always 
accepts the proof. 

Proof. To prove the completeness, we show that g°‘h^^aj=u)i and afh^^af=uj 2 
hold. Since c = 7 = ck. Then we have 



_ gK,{u — CXi) + \^K,{vi—Cri)+fJ.igCKXi^CK,ri _ gKU+\^KVi+fli _ 
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Similarly it is straightforward to verify that (J2 (jg =W2 holds. 

Lemma 9. (Soundness) If g°‘hl^^aj=uji and (jfh^‘^af=uj 2 hold, Boh is con- 
vinced with an overwhelming probability that the multiplication relation between 
secrets holds. 

Proof. The multiplication protocol consists of two instances of the basic protocol 
that run in parallel. The first instance convinces Bob of the knowledge of secret 
for the commitment cti with respect to the base [g, h] and the second instance 
convinces the knowledge of secret for the commitment 173 with respect to the 
base [(72 7 h]. According to the proof of Lemma 3, they hold with an overwhelming 
probability. Moreover, in these two instances, Vera sends the same a in both 
instances to prove the knowledge of the discrete logarithm part of the base g, (T 2 
in the representation of (71,(73 to the base [g,h] and [(72, /i] respectively. This 
indicates that the exponent of the base g in the representation of ai to the base 
[g, h] equals to that of the base CT2 in the representation of CT3 to the base [ct2, h]. 
This shows that the exponent of the base g in the representation of CT3 to the 
base [g, h] is the product of the exponents of the base g in the representations 
of a I and to the base [g, h] which proves the multiplication relation between 
secrets. 

Lemma 10. (Witness-Indistinguishable) For any instance of the protocol 
run, Alice’s view and Bob’s view of the protocol are statistically independent. 

Proof. Given any Alice’s view and Bob’s view, it is straightforward to prove 
that there exists a legitimate instance of the multiplication protocol using a 
technique similar to the one given in the proof part of Lemma 4. Thus the 
protocol is witness-indistinguishable. 



3 Divertible Zero-Knowledge Proof of Polynomial 
Relation 

Divertible zero-knowledge proof of polynomial relation is a protocol in which 
Vera is able to divert Alice’s proof of polynomial relation to Bob. After any 
instance of the protocol, Alice’s view and Bob’s view of the protocol are stati- 
stically independent. 

More specifically, let f{Xi,..,Xk) be the given multi-variable polynomial. 
The relation to be demonstrated, is the knowledge of a k-tuple {xi, ..,Xk) satis- 
fying f{xi, ..,Xt) = 0 mod n. The divertible protocol works as follows: 

THE GENERAL PROTOCOL 

STEP 1: 

First Alice creates an arithmetic circuit corresponding to the polynomial ac- 
cording to the following BNF : 



/ = c mod n\Xi mod n|/ -I- / mod n|/ * / mod n 
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Clearly, the circuit only consists of addition and multiplication gates. Then Alice 
makes t commitments si , St such that Si conceals the value of Xi. Also Alice 
makes m commitments St+i, St+m, each concealing the output of some gate 
in the circuit. Here m is the number of gates in the circuit and there is only 
one commitment concealing the secret of any particular gate. Without the loss 
of generality, let us assume that is the commitment of the final gate, i.e.. 



STEP 2: 

Alice then sends t + m commitments si, .., St+m to Vera, who in turn chooses 
t + m random numbers pi and forms Ui = Sih^' {i = 1, + Vera then sends 

all the values of Ui to Bob {i = 1, .., t + m). 

STEP 3: 

Alice, Vera and Bob run t instances of the basic protocol to convince Bob the 
knowledge of secrets concealed in the t commitment si, .., s*. 

STEP 4: 

For each gate, let Si,Sj be Alice’s commitments concealing the inputs of the 
gate and Sk be Alice’s commitment concealing the output of the gate. Similarly 
let <Ji,<Jj and cr^ be Vera’s commitments concealing the two inputs and output 
of the gate. Vera together with Alice and Bob run the multiplication(addition) 
protocol to convince Bob of the multiplication(addition) relation between secrets 
concealed in at , aj and Uk ■ 

STEP 5: 

Alice opens the commitments St+m, showing rt+rn- Vera, in turn, gives Bob the 
value r = rt+m + Pt+m ■ Bob accepts the proof if and only if all proofs in steps 3 
and 4 hold and (Tt+m = fT ■ 

This model has been used in[l3 for normal (i.e., non-divertible) polynomial 
relation. It is straightforward to realize the model’s completeness and soundness. 
Interested readers are referred to 0. 

3.1 Divertible Zero-Knowledge Protocol to Confirm 
ax^ -|- 6 = 0 mod n 

As an example, we show a divertible zero-knowledge protocol to confirm the 
knowledge of x such that ax^ -1-5=0 mod n. 

The protocol works as follows: 

1. First Alice sends to Vera 4 commitments commit(a:* )=gW)/jn (i = l,2,4,5) 
which are calculated by Alice. 

2. Vera sends to Bob 4 commitments: commit'(a::*) = commit (a:®) 5'’% where pi 
{i = 1, 2, 4, 5) are numbers known only to Vera. 

3. Alice, Vera and Bob then run three multiplication protocols where Alice is 
the prover, Vera is the intermediate and Bob is the verifier, to prove the 
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following relations: 

1: X 2 = x\ 

2 : Xi = x\ 

3 : x^ = x^Xi 

where Xi is the secret committed in coimnit(a::*) and cominit'(a::*). 

4. Alice, Vera and Bob run an addition protocol to prove the relation ax^ + 
6=0 mod n for Alice’s commitment commit(a:®) and Vera’s commitment 
commit' (a;®). Here the committed secret is and the two other commit- 
ted values are 1 and 0. These two numbers are public information. It is 
straightforward to see that our addition protocol also works in this case. 

Once the process is completed, Bob is convinced of the knowledge of x such that 
ax^ -1-6 = 0 mod n. 

4 Blind Group Signature 

A group signature allows members of a group to sign on behalf of the group. 
Signatures are verified using a single group public key. There also exists a group 
manager who could detect the misbehaviour of the group members. 

In |2|, Camenisch and Stadler proposed two fixed size group signature sche- 
mes in that the size of signatures and the private keys are independent of the size 
of the group. In this section, we show how to blind the more efficient proposal 
of these two schemes. 

In that scheme, a group signature consists of two non-interactive proofs; the 
first proves the knowledge of a valid certificate and the second proves that the 
group manager can identify the member who issues the signatures. A members- 
hip certificate is in the form of (a:, y) that satisfies ax°‘ + by^ = c mod n, where 
a, 6, c, a, /3, n are public information and n is a large RSA modulus chosen by the 
group manager. A proof of knowledge that the group manager can “open” the 
signature is a proof of knowledge of (r, s) such that A = and B = where 
A, B are components of the signature and s = ax°‘, where gx is the manager’s 
public key. 

To obtain a blind Camenisch-Stadler group signature, we only have to con- 
vert the non-interactive proofs in a signature to be divertiblejl 2j Hence the 
signature generation procedure is now a set of two divertible protocols in which 
the signer plays the role of the prover and the receiver plays the roles of both 
the intermediate and the verifier. The first is to prove the knowledge of (x, y) 
that satisfies the polynomial relation ax“ -I- by^ = c mod n. This can be easily 
realized using our divertible proof of polynomial relation. The second proof is to 
prove the relation A' = g^A and B' = Bg'^, where p is secretly generated by the 
receiver, and A = g'^bA^ and B = g^ are commitments generated by the signer 
and seen by the receiver. The divertible proof of this relation consists of the two 
instances of the basic protocol in parallel to prove the knowledge of (r', s) of 
A' = g” /i® and B' = g^, where A' = Ag^ and B' = Bg^~^-, r — r' is chosen 
secretly by the user and A, B are the normal signature components computed 
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by the signer. To ensure that the value of s is indeed aa;“, the commitment of 
ax°‘ of the first proof must be identical to A. 

All the proofs must use the same challenge 7, which is computed as 7 = 
h{m\\ inf), where h is a secure one-way hash function, m is the message, || denotes 
the concatenation and inf is the concatenation of all the commitments seen by 
Bob in the whole process. This technique is well-known and is proven to be secure 
in previous work m- The blind signature on the message m then consists of 
all the information used by Bob to verify the relation ax°‘ + by^ = c mod n. 

The completeness of this blind signature scheme is clear. This is because a 
signature generation procedure is a set of divertible protocols. It results in two 
non-interactive proofs, which forms a legitimate signature. On the other hand, 
our divertible proof of polynomial relation is sound. The technique of running 
two instances of a proof of knowledge of the discrete logarithm to prove the 
equality of the two discrete logarithms is well-known and secure j^. In fact, it is 
also used in the original signature scheme. Hence our blind signature is sound. 
Finally, as the divertible protocols ensure that the receiver’s view of the overall 
procotol and the signer’s view of the protocol are witness-indistinguishable, the 
signer can not link any signature to any signature generating instance, i.e., the 
blindness property holds. 
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Abstract. The paper discusses the correctness of Lee, Hwang and 
Wang’s comments on on Zhang’s proxy signature schemes. In particular, 
it is shown that the cheating attack proposed by Lee, Hwang and Wang 
can be detected by the owner of the signature scheme. It is argued that 
considering the context in which proxy signatures are used, the attack 
is not a security problem. The work is concluded by a discussion about 
the non-repudiation controversy incorrectly observed by Lee, Hwang and 
Wang. 

Keywords: Cryptography, Digital Signatures, Proxy Signatures, ElGa- 
mal signatures. 



1 Introduction 

One of the greatest achievements of modern cryptography is the invention of di- 
gital signatures. Digital signatures should be in a sense similar to hand- written 
ones. That is, recipient must be able to verify the signature. A hand-written 
signature is verified by comparing it to other, authentic signatures. In contrast 
to hand-written signatures which are independent of messages, digital signatures 
must somehow reflect both the message and the signer. That is, digital signa- 
tures have to create some sort of encapsulation of the document such that any 
interference with either its contents or the signature will be detected with a very 
high probability. In order to achieve this requirement, digital signatures can be 
generated by a signer who holds a secret information which reflects somehow 
her identity. To verify digital signatures, the receiver of a document applies a 
publicly known algorithm. 

Several digital signature schemes have been proposed in the literature. In this 
paper we consider an ElGamal [Q type digital signature scheme. The scheme is 
due to Nyberg-Rueppel 0 and is used in 121, m and 0. The system parameters 
are as follows: 

— a large prime p, 

— a prime factor q of p — 1, 
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— an element g G p of order q, 

— a signer holds his/her secret key x G Ijq and publishes the corresponding 
public key y = (mod p) 

We assume that m = h{M), where M is the original message with an ar- 
bitrary length and h{-) is a public cryptographically strong hash function. If 
the signer wants to sign m, 0 < m < p then he selects a random k G and 
computes, 

r = mg^ (mod p) 
s = rx + k (mod q) 

The pair (r, s) is the signature of the message m. To verify the validity of a 
signature, one can check, 

m = g~’^y^r (modp). 

If equation holds then the signature is accepted, otherwise the signature is re- 
jected. 

1.1 Proxy Signature 

Typically, the owner of the signature scheme may wish to delegate the power of 
signing to a proxy who will be able to sign messages on behalf of the owner. The 
following properties are expected to hold for the delegation. 

1 . The receiver of the signature should be able to verify the proxy signature in 
similar way to the verification of the owner signature. 

2. The proxy signature must be distinguishable from the signature generated 
by the owner. 

3. The signature must be non-repudiable, that is, neither the owner nor the 
proxy must be able to sign in place of the other party. In other words they 
cannot deny their signatures. 

Proxy signatures were proposed to facilitate this kind of delegation (for more 
details, see 0 and |0). In BP| Zhang proposed proxy signature schemes that 
satisfy the requirements mentioned above. In Lee, Hwang and Wang analyse 
two proxy signature schemes proposed in 0 and |0]. They claim that Zhang’s 
proxy signature schemes are subject to a cheating attack that enables the proxy 
signer to get the original signer to sign any message chosen by the proxy. They 
also argue that Zhang’s second scheme is not non-repudiable. That is, the original 
signer can obtain the proxy signer secret and thus can sign any message in place 
of the proxy signer. 

In this paper we show that the cheating attack proposed by Lee, Hwang and 
Wang can be detected by the original signer. Moreover, we will show that the 
non-repudiation controversy given in @ is due to some misconceptions of the 
authors. The organisation of the paper is as follows. First we give a brief review 
of two Zhang’s proxy signature schemes. In Section 0we consider Lee-Hwang- 
Wang’s arguments on Zhang’s schemes. Finally, in Section ^ we will show why 
Lee-Hwang- Wang’s arguments are not correct. 
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2 Zhang’s Proxy Signature Schemes 

Consider a large prime p, a prime factor q of p—1 and an element g G Z* of order 
q. Assume that Alice, who is keeping a secret key x and has published the 
corresponding public key y = (mod p), wants to delegate signing capability 
to Bob. The first scheme is constructed as follows. 

1. Alice selects a random number k and computes f = g^ (mod p), and sends 
r to Bob. 

2. Bob randomly chooses a G and computes r = g°‘f (mod p), and then 
communicates r to Alice. 

3. Alice computes s = rx + k (mod q) and forwards s to Bob. 

4. Bob computes s = s -I- a (mod q) and accepts s as a valid proxy signature 
key, if the following equation holds: 

g^ = y^r (mod p). 

Hence, Bob can apply the previously mentioned ElGamal type digital signa- 
ture scheme to sign any given message using his secret key s. The verification 
algorithm, however, uses the public key y' = y'^r (mod p). 

In jSj Zhang proposed another variant of the proxy signature scheme. This 
scheme requires the following exchange of messages between Alice and Bob. 

— Alice selects a random number k and computes f = g^ (mod p), and sends 
r to Bob. 

— Bob randomly chooses /3 G Zg and computes r = (mod p), and r' = 
rj3~^ (mod q), then communicates r' to Alice. 

— Alice computes s = r'x + k (mod q) and forwards s to Bob. 

— Bob computes s = s/3 (mod q) and accepts s as a valid proxy signature 
key, if the following equation holds: 

g^ = y^r (modp). 

The generation of proxy signature and its verification is similar to previous 
scheme. 

3 Lee-Hwang- Wang’s Remarks on Zhang’s Schemes 

3.1 Cheating Attack 

Lee, Hwang and Wang p] argued that a dishonest proxy signer. Bob, could cheat 
Alice and get her signature on any message of his choice. Their attack works as 
following. 

(modp) 

Alice > Bob 

r=mf (mod p) 

Alice < Bob 

s=rx+fc (mod q) 

Alice > Bob 
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Instead of choosing a random a and computing g°‘ , Bob calculates r = mf, 
where m is a message of his choice. Hence, at the end of the protocol, Bob gets 
Alice’s signature (r, s) on message m. 

3.2 Non-repudiation Controversy 

In ^ Lee, Hwang and Wang also claimed that Zhang’s second scheme was not 
non-repudiable. Their argument is that, after the proxy signer (Bob) generates 
his signature (r, SBob) on a message, the original signer (Alice) can get the value 
r to calculate, 

(3 = rr'~^ (mod q), 

since she knows r' from the key delegation protocol. Hence, Alice obtains Bob’s 
secret key as, 

s = s/3 (mod g), 

and therefore can sign any message in place of Bob. 

4 Our Observations 

In this section we analyse the above mentioned remarks on Zhang’s proxy sig- 
nature schemes and show why they are not correct. 

4.1 Comments on Cheating in a Proxy Signature 

In a sense, the Lee-Hwang-Wang cheating attack works. However, a cheating 
attack is successful only if it is not detectable. Here we show that the original 
signer (Alice) can prove that the proxy signer (Bob) has been cheating in the key 
delegation protocol. We have to stress that all messages exchanged between two 
parties during the key delegation protocol have to be authenticated, otherwise 
anybody could impersonate Bob and get a proxy key from Alice. To be fair to 
Lee, Hwang and Wang, we can argue in their favour by saying that: 

1. the existence of a trusted third party necessary to solve a dispute between 
the owner (Alice) and proxy (Bob), is a rather strong assumption, 

2. by the time Alice notices that her alleged signature has been generated on 
her behalf, it may be too late: the damage may already be done. 

The first argument is not really working as by the principle of proxy delegation 
the proxy. Bob, is delegated to sign any message on behalf of Alice, even a 
message which has been explicitly forbidden by Alice. If Bob disobeys Alice’s 
orders, he will be a subject to a disciplinary action or to court proceedings both 
of which involve a trusted third party. So the existence of a trusted third party 
is already embedded into the proxy signature scheme. 

The second argument does not stick either. If Bob is malicious and tries to 
inflict the maximum possible damage to Alice, he would rather adhere strictly 
to the delegation protocol. So later he may be able to sign any messages on her 
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behalf. If Bob cheats in the delegated protocol, then he can get Alice’s signature 
for a single message of his choice. We will show later the cheating will be detected 
by Alice anyway. Moreover, Alice can prove to a trusted third party that Bob 
was cheating. This is similar to the case when Bob has signed a message which 
was explicitly forbidden by Alice. 



4.2 Cheating Detection 

In case of suspected cheating, Alice can detect it by running the following steps. 

1. Alice looks through the transcripts of key delegation protocols to identify 
the signature of message m in question. 

2. If Alice has been cheated in the second step of the key delegation protocol, 
she can detect the cheating by finding, 

7 

r = mf (mod p), 

where r was generated by herself in the first step and r was authenticated 
by Bob in the second step (in addition, Alice knows k such that f = g^). 

3. In order to prove that Bob is a cheater, Alice asks Bob (as a proxy signer) 
to sign a given message. If Bob is able to sign the message then Alice must 
accept the authorship of the signature, otherwise Bob is a cheater. 

To show the correctness of our arguments, we note that: 

— If Bob selects a message, m, of his choice then he cannot find a corresponding 
a such that g°‘ = m (mod p) provided the selected instance of discrete 
logarithm is hard. 

— Since Bob does not know a, he cannot find s = s-|-a (mod q) and therefore 
cannot sign the message as a proxy signer. 

That is to say that Alice can easily prove that m is not a genuine message she has 
signed. This means that Bob is a cheater. In conclusion, the weakness indicated 
by Lee-Hwang and Wang is not a security problem. 



4.3 Non-repudiation Considerations 

In this section, we show that the claim in jSj in which Zhang’s second proxy 
signature scheme is not non-repudiable is incorrect. The message exchanged in 
the protocol is as follows: 

f=g>‘ (modp) 

Alice > Bob 

r' =f^ (mod p) 

Alice < Bob 

s=r'x-\-k (mod q) 

Alice > Bob 



134 H. Ghodosi and J. Pieprzyk 



Bob computes, 

s = s/3 (mod q) 

and accepts s as a valid proxy key, if the following equation holds: 

= y^r (mod p). 

Bob’s public key is y' = g® (mod p) . 

Our observation is that: 



— If Bob cheats in the key delegation phase then he is not able to sign any 
message (the same arguments as for the scheme one) and hence Lee-Hwang- 
Wang’s proof of not non-repudiability of Zhang scheme is not applicable in 
this case. 

— If Bob does not cheat in the key delegation phase then he can sign any 
message. However, the attack mentioned in |Q does not work. In fact, the 
authors of were not aware that in ElGamal type signature the signer 
selects a fresh random number for each signature and therefore r is different 
from that used in key delegation protocol. That is, Alice cannot compute 
Bob’s secret key in the way discussed by Lee, Hwang and Wang. In other 
words, the claim that Zhang’s second proxy signature scheme is not non- 
repudiable is incorrect. 
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Abstract. In [21] some simple modifications of the RSA, respectively 
Dickson/LUC, cryptosystems have been presented which are practical 
and provably as secure in difficulty as factorizing their modulus. Similar 
to Rabin’s provable secure cryptosystem, these schemes are vulnerable to 
chosen ciphertext attacks. We are going to provide a method for immu- 
nizing the RSA based system against adaptive chosen ciphertext attacks 
and simultaneously provide information authentication capability. By 
means of probabilistic encoding, the scheme achieves semantic security 
and plaintext awareness in the standard (i.e. non random oracle) mo- 
del under the assumption of a collision-resistant hash function and the 
factorization intractability of the receiver’s modulus. 



1 Introduction 

1.1 Chosen Ciphertext Security 

A considerable amount of research has been done in recent years, both from the 
theoretical and practical point of view, in the pursuit of the construction of public 
key cryptosystems secure against chosen ciphertext attacks. In such an attack, 
the adversary obtains the decryption equipment and is allowed to sequentially 
query it as a black box (an input-output oracle). Informally, the system is said 
to be secure under a chosen ciphertext attack, if the attacker cannot decrypt a 
new message. Typically, one distinguishes between a weak form of this attack, 
known as a lunch-time attack, and the strongest possible form, known as an 
adaptive chosen ciphertext attack. In a lunch-time attack, the adversary queries 
the decryption oracle some number of times, after which he obtains the ciphertext 
that he wishes to cryptanalyze, and is not allowed to query the decryption oracle 
further. (The name visualizes the situation where the supervisor is out of the 
office, e.g. for lunch, and the attacker is using the opportunity to play with the 
equipment over the break but he has no meaningful ciphertext in his possession.) 
In an adaptive attack, the adversary has access to the decryption equipment even 
after receiving the object ciphertext to be cryptanalyzed. The attacker is allowed 
to continue to query the deciphering algorithm with any ciphertext, except the 
exact object ciphertext. 
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1.2 Previous Results 

Among the several types of attacks to cryptosystems, the most severe certainly is 
the chosen ciphertext attack, since the attacker may choose different ciphertexts 
himself and can use the knowledge obtained in the query and answer process to 
extract the plaintext of an object ciphertext. 

For many years, no public key system was shown to be secure under a chosen 
ciphertext attack. Rabin pioneered the research of constructing provably secure 
public key cryptosystems by designing a scheme with the property that extrac- 
ting the complete plaintext of an object ciphertext is computationally equivalent 
to factoring large numbers. Blum and GoldwasseQS] invented the first efficient 
probabilistic public key system that hides all partial information. 

A common drawback with these and related cryptosystems is that, although 
secure against chosen plaintext attacks, they are easily compromised by cho- 
sen ciphertext attacks. Thus, the question of how to design, respectively, prove 
security against such attacks was open for a while. 

Theoretical Chosen Ciphertext Secure Systems. 

The notion of chosen ciphertext security against lunch-time attacks was first 
defined and implemented in [B8] . The first provably secure scheme against ad- 
aptive chosen ciphertext attacks was first presented in m- The security of their 
schemes relies on the notion called non-malleability. Informally, it requires 
that it is infeasible, given a ciphertext, to create a different ciphertext such 
that their plaintexts are related in a known manner. Unfortunately these sug- 
gestions are impractical as they rely on general and expensive constructions for 
non-interactive zero-knowledge proofs. Also, the resulting ciphertexts are in ge- 
neral much longer than the original plaintexts. These disadvantages make the 
cryptosystems difficult to realize in practice. 

Practical Chosen Ciphertext Secure Systems. 

Practical approaches to constructing such systems were first initiated by 
Damgard P) and further extended by Zheng and Seberr\TT35l I~f36l who also 
proved Damgard’s scheme to be insecure against adaptively chosen ciphertext 
attacks. The fundamental ideas of Zheng and Seberry are a general method for 
securing cryptographic schemes against active attacks. Their methods are ba- 
sed on sole-samplable (encoding-) functions. Basically, this means that there 
is no other way to generate a legitimate ciphertext than to choose the mes- 
sage first, and then to encrypt this message by means of the encoding function. 
Their immunization process consists of appending to each ciphertext a tag that 
is correlated to the message to be enciphered. This value serves as a second, 
independent information (cf. also P]) that is the basis for a validity-check rou- 
tine which will output the decrypted message only when this check condition is 
satisfied. Additionally, they present a method for adding authentication capa- 
bility to their cryptosystems. Although being secure against chosen ciphertext 
attacks, Lim and Lee PI have pointed out that some of Zheng’s and Seberry’s 
cryptosystems might just fail under known plaintext attacks, a weakness that 
is overcome by the ZS Difhe-Hellman digital signature based scheme, and the 
improved schemes PI, where the security tag depends both on the message to 
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be deciphered and on the sender’s secret key. Lim and Lee suggest an immuniza- 
tion method where the validity-check is based on the ciphertext and not on the 
recovered plaintext. Similarly to Zheng’s and Seberry’s systems, their argument 
is based on the idea that an attacker cannot produce legitimate ciphertexts with- 
out knowing the plaintext. However, their proposed scheme has been broken in 

P. 

A desirable property of any cryptoscheme is a proof that breaking it is as 
difficult as solving a computational problem that is widely believed to be difficult, 
such as integer factorization or the discrete logarithm problem. Consequently, the 
provable security obtained by relying on such complexity theoretic assumption, 
is to be understood in the sense, that an attack on the scheme implies an attack 
on the underlying primitive it employs. 

In this regard, although the schemes mentioned in the previous paragraph 
are conjectured to be secure against chosen ciphertext attacks, one of their di- 
sadvantages is, that no proofs based on known intractability assumptions are 
presented. 

Motivated by the problem of demonstrating provable secur^ in terms of 
an underlying intractability assumption, Bellare and Rogaway pre- 

sented practical and provably secure schemes in the random oracle model. 
They suggest first designing cryptographic protocols in an ideal system, and 
then replacing oracle access by the computation of an “appropriately chosen” 
function. Based on the assumption of “ideal” hash functions, they present two 
semantically secure encryption schemes by utilizing the RSA, respectively the 
Difhe-Hellman, primitive. 

Another provable secure scheme has recently been proposed by Okamoto and 
Uchiyama pz|. Their scheme is shown to be as secure as the intractability of 
factoring n = p'^q. Similar to Rabin’s scheme, the provable security makes their 
system vulnerable to active attacks. In order to obtain security against chosen 
ciphertext attacks they suggest a modification based on the random oracle model. 

Tsiounis and Yiin f presented an ElGamal based instantiation of an en- 
cryption scheme that is non-malleable under adaptive chosen ciphertext attacks. 
They basically also rely on the random oracle model but minimize the impor- 
tance of the model in that it only serves as an unpredictable beacon. 

However, some problems with the random oracle model have recently been 
described by Canetty, Goldreich, and HalevQO]. They prove that there are en- 
cryption and signature schemes which are secure in the random oracle model, 
but have no secure implementation (replacement of the random oracle by any 
easy to evaluate function) in the “real world” (where a random oracle does not 
exist). 

A natural goal thus is designing a chosen ciphertext secure system which is 
practical and proven secure under standard intractability assumptions 
and which does not rely on the random oracle model. The first scheme of this 
kind has recently been established by Gramer and Shoup pj, p^. Their proof of 
security relies only on the hardness of the Difhe-Hellman decision problem and 
the collision intractability of a hash function. 
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The new scheme. In this paper we are dealing with a very simple mo- 
dification of RSA, in particular, with the factorization-equivalent RSA method 
0 (cf. also lEl])- Recall that plain RSA is malleable (cf. Moreover, both 
RSA, and even certain protocols based on the randomized RSA modification 
PKCS #1, are insecure against chosen ciphertext attacks (E3- [EP [1^11 [30]). 
By contrast, our approach represents an authentication-enhanced immunization 
method against active attacks. Our resulting scheme is both practical and pro- 
vably as secure as factorizing its modulus. We use probabilistic encryption to 
utilize randomness to obtain plaintext awareness and provable semantic security 
against adaptively chosen ciphertext attacks. Other than the previous security 
enhanced RSA instantiations H, 0, we do not rely on the random oracle 
model. Our method also differs from the previous schemes in that it is based on 
the more general factorization-, as opposed to the more specific RSA, primitive. 



2 The Factorization-Equivalent RSA Modification 

As indicated above, most of the existing provable secure encryption schemes rely 
on the random oracle model. However, as mentioned, there does exist an adaptive 
chosen ciphertext secure ElGamal modification ^ that does not rely on random 
oracles. Since this scheme is based on the intractability of the Dijfie- Heilman 
decision problem, it is clearly of great interest to establish a secure system out- 
side the random oracle model, which is provable secure under the factorization 
intractability of n = pq. Even after exhaustive research, the factorization pro- 
blem is still considered to be very hard. In spite of spectacular progress of recent 
years in developing fast factorization algorithms (cf. j j1 7] . pH]), an appropriately 
chosen, sufficiently large modulus n = pq still cannot be factorized by current 
techniques. 

Although it has been shown that the semantic security of ElGamal encryption 
is actually equivalent to the Difhe-Hellman decision problem (cf. P) , it remains 
an open question, if the corresponding result in terms of original RSA and the 
factorization problem is true. That is, while it is well-known that the RSA public- 
key cryptosystem m can be broken if its modulus n = pq can be factored, 
it is not known if the opposite is true (cf. This problem has led to the 
development of a variety of PKGSs (Cfq]6]p9]q3i]m38]m39]m32]q33]q34]) 
whose security is equivalent to the difficulty of factoring the modulus n, i.e., 
for which knowledge of the factorization of the modulus is necessary in order to 
retrieve plaintext from ciphertext without the use of the decryption key. 

A common problem of all these provable secure schemes is their vulnerability 
to chosen ciphertext attacks which is based on the general underlying method 
for establishing this security. 

Since RSA is certainly one of the most widely used cryptosystems, the goal 
of this paper is to immunize the simple RSA modification P against adaptively 
chosen ciphertext attacks. 
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2.1 Description of the Factorization-Equivalent RSA Modification 

The crucial point for this scheme consists of choosing e and d according to a 
certain principle which had also been the basic idea in p. Observe that choices 
for e are known for which RSA is provably not equivalent to factorization (cf. 

0, H). 

Key Generation. Let p and q be sufficiently large primes with p = q = 3 
(mod 4), put k — g ^ integers that are chosen 

according to ed = (mod k). Set Q = qq* — pp* (mod n), where n = pq 

and q* = q~^ (mod p) and p* = p~^ (mod q). 

The public key, is (n, e) and the private key is {p, q, d, Q). 

Encryption. Given a message a G Z*, the encryption algorithm runs simi- 
larly to the original RSA scheme by calculating c = (mod n) . Additionally, 
it is necessary to evaluate Bi = a (mod 2) with B\ G {0, 1} and B 2 = (^). 
The ciphertext is 

[c, Bi,B 2 ]. 

For this scheme, the choice of e and d implies that = ±a (mod p) 
and a^®^^ = ±a (mod q). Consequently, there will be four different possible 
decrypted messages modulo n. The information values B\ and B 2 will be used 
to let the receiver retrieve the message that was originally sent. 

Decryption. On receiving [c, i?i,R 2 ] the designer firstly calculates 

j K = c'^ (mod n) if B 2 = 1, 

\k=^ (mod n) if B 2 = —1, 

where 0 < K < n. Finally, the correct message is a = K or n — K (mod n) 
whichever satisfies a = Bi (mod 2). 



2.2 Security Analysis 

It has been shown in (HI that decrypting the above RSA modification and 
factorizing the modulus are computationally equivalent. However, by the same 
token, the proof also enables factoring the modulus under a chosen ciphertext 
attack. 

Proposition 1. If E and D denote the modified RSA en- and decryption al- 
gorithms of section then for any a G Z* with ((^) = —1 one obtains a 
non-trivial factor of n by the determination of gcd{D(E{a)) — a,n), where in 
the deeryption procedure B 2 is assigned the value 1 instead of —1. More specifi- 
cally, if B 2 = 1 and ((j) = —1, then D{E{a)) = E{D{a)) = ±a (mod p) and 
D{E{a)) = E{D{a)) = ±a (mod q), but not simultaneously modulo n. 

Proof. The first statement appears as Lemma 3.2 iiEPl]. Clearly, by properties 
of the power polynomial, D{E{a)) = E{D{a)) = a^®‘^ (mod n) and the second 
statement again follows from □ 
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3 The Proposed Immunization Method 

We present a simple method for securing the modified RSA cryptoscheme P 
against adaptive chosen ciphertext attacks. In view of Proposition G1 it becomes 
obvious that the attack will cause a total break of the system if instead of the 
(correctly) decrypted message a, the value ±6 (mod n) with b = a (mod p) 
and b = —a (mod q) will be returned. Certainly, without knowing the correct 
values (^) and a (mod 2) of the original message a, there is no way for the 
receiver, to distinguish between the correct and the wrong value, a and b, respec- 
tively. Since the decryption process is not injective, the decrypter will not simply 
obtain the original message a, but rather four possible solutions. As a result, the 
encrypter needs to provide the information values B\ and B 2 indicating which 
of these ambiguously decoded messages is the correct one. Upon transmitting 
another information bit for B 2 than the one which would help to identify the 
correct message a, the sender can obviously manipulate the decoder to decrypt 
the wrong message b, which will immediately enable him to factorize n. 

A principal goal thus consists of preventing the above total forgery of the sy- 
stem that is caused by forging the value B 2 ■ The main idea for the immunization 
method will be to append to each ciphertext another information value that is 
correlated to the sender’s secret key and the message to be enciphered. This ad- 
ditional information will be used in the decryption scheme to locate any forged 
ciphertext. Moreover, this internal validity test will detect any non-legitimate 
and any non-authentic ciphertexts, and will also ensure plaintext awareness. 

Setup of the scheme. 

Let user A's modulus be denoted by ua = PaQa, where the primes pA, Qa are 
equivalent 3 (mod 4) . As before, each user A possesses a secret deciphering key 
and a public enciphering key, which we will denote as ca and d,A, respectively, 
where e = and d = d,A are chosen as in section l2~Tl Additionally, let — 
(mod (f>{nA)) for be another secret key which the user A will need for 

signing, and let tA be made publicly known. 

We will assume throughout, that ua is chosen in a way which makes it 
computationally infeasible to find the factorization of ha- 

Assume that h is a cryptographic hash function that maps strings of arbitrary 
finite length into strings of fixed length. Given h and an input x, computing h{x) 
must be easy. A one-way hash function must provide both preimage resistance 
and second preimage resistance, i.e., it must be computationally infeasible to 
find, respectively, any input which hashes to any pre-specified output, and any 
second input which has the same output as any specified input. A collision 
resistant hash function is a one-way hash function that provides the additional 
property of collision resistance, i.e., it must be computationally infeasible to find 
two distinct inputs that hash to the same result. 

In the following, h will always denote a collision resistant hash function. 

If n = pq,p = q = 3 (mod 4) for primes p and q, and if 5 G Z* is a publicly 
known value (e.g. ca or es), then it is known that Rabin’s signature function 
(cf. |2E|) / : Z* i-G- Z* , X !->■ a;(a: -I- &) (mod n) is provably as difficult to invert. 
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as it is to find the factors of n. For the remainder of the paper let / be the Rabin 
function for n = ua- The reason for employing this function will become more 
obvious later on when establishing the proof of semantic security of the scheme. 

In the following, let x\\y denote concatenation of two strings x and y, and let 
nmiri = min{n^, ns}, where nA is the receiver’s, and ub is the sender’s modulus, 
respectively. 

We now extend the RSA scheme of m to provide enhanced security. A 
message m S {1, ..., rimin} can be sent secretly from B to Ain the following way. 

Enciphering Algorithm (user B): 

1. Select randomly r € {1, ...,rimin} such that for r' = r®® (mod ns), m' = 
rmf^ (mod ub), 

^ ^ ^ ^ . ( 1 ) 

2. Compute Ci = (m')^®^ (mod ua)- 

3. Compute C2 = h{rrA^ (mod ua) || fif')). 

4. Let C3 = (r')^®^ (mod n^). 

5. Set Bi = m! (mod 2), R2 = , where Bi e {0, 1}. 

6. Send C = [ci, C2, C3, Ri, i?2, ^2] to user A. 

Deciphering Algorithm (user A): 

1. Compute (mod ha) and get the unique value M' by means of Bi and 
B 2 as in section lO] (cf. pH). 

2. Compute Cg^ (mod ua) and get the unique even value R' by means of 62- 

3. Compute R = {R'Y^ (mod ub), M = (mod ub)- 

4. — if M > Umin or M' > Umin output NULL, 

— if i?' > Umin or 2| i?' output NULL, 

— if i? > Umin output NULL, 

— otherwise, check that 

h(M®^ (modn^)||/(i?')) = C 2 . (2) 

If OK, output m = M (mod n^), else output NULL. 

Remark 1. We generally use the notation a = b (mod N) to denote the prin- 
cipal remainder a, that is the unique integer a G {0 ,...,A— 1} that is congruent 
to b modulo N. 

4 Unambiguous Decryption of the Proposed Scheme 

4.1 Authenticity and Unique Decoding 

Observe that in the basic authenticated RSA ‘sign then encrypt’ system the 
sender’s modulus ub always has to be smaller than the receiver’s modulus ua in 
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order to guarantee unique decoding. Here, since r' and m' are defined modulo 
riB, property ensures that decryption will always be uniquely possible when 
working with both ua and Ub- Namely, if ub < tia, the uniqueness obviously is 
guaranteed, while for ua < ub, both the factors r' and m' have to be less than 
Ua which allows unique en- and decryption modulo ua- 

Essentially, the blinding of the message m by m*® (mod ub) frustrates any 
attempt of creating a ‘useful’ message without knowing B’s secret key sb- 



4.2 Unambiguity of the Decoding Algorithm 

We now verify that the decryption of an encryption of a message yields the 
message. For simplicity, we give two definitions. 

Definition 1. Let us define a tuple C = [ci, C2, C3, Hi, i?2, 62] to be a valid ci- 
phertext, if the decryption oracle does not output ‘NULL’. Any Ci of a valid 
ciphertext will be referred to as a ‘valid Ci 

Definition 2. Let m' be a fixed integer. A legitimate choice of Bi, respectively 
B2, with respect to in' is understood to be the unique value Bi € {0, 1}, respec- 
tively B2, that is obtained by B\ = m' (mod 2), respectively B2 = ^ 

legitimate choice of 62, is defined similarly. Additionally, let the non-legitimate 
choice of Bi be Bi = Hi + 1 (mod 2), where Hi S {0, 1} and Hi is the le- 
gitimate choice with respect to m' . Let analogously B2 and 62 be defined in the 
obvious manner. 

Observe, that by hypothesis (0),r' is even, so that the analogous information 
r' (mod 2) =: bi is already fixed to 0 and does not have to be explicitly given 
as part of the ciphertext. 

We will assume throughout that &2, H2 0. 

In the following, we show that no adversary can apply Proposition Q so as to 
fool the deciphering algorithm into outputting one of the three ‘wrong’ messages. 

Lemma 1. Let C be a given valid ciphertext. Suppose an adversary wants to 
modify C so as to obtain another valid ciphertext. Then any non-legitimate choice 
62 will cause the decryption oracle to reject, provided factorization of ua is hard 
and the adversary does not find a collision in h. 

Proof. If 62 is —62, where 62 is the legitimate choice with respect to r', then 
(mod Ua) will, instead of r' (mod ua) evaluate to ±r' (mod ua), where 
r' = r' (mod pa), r' = —r' (mod qA)- By the collision- freeness of h, the value 
R' obtained from ±r' (mod ua) will be rejected by the test for the valid C2. The 
only way to pass the validity test is to calculate a modified C2 as the hash-value 
with respect to ±r' (mod ua). To achieve this, however, since h is collision- 
resistant, the adversary has to know ±r' (mod ua)- But knowing this value 
would immediately enable the adversary to factorize ua, which is impossible. 

□ 
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Consider now the unambiguity of decoding a valid C3. Recall that the un- 
derlying en- and deciphering procedure r' 1— > (j.'^ 2 eAdA (niod ua) yields ±r' 
(mod Pa), it"' (mod qA), which gives rise to four different possible values mo- 
dulo ua in the deciphering process. Unambiguous decoding relies only on the 
auxiliary value 62 since b\ equals zero by construction. As &2 can only be the legi- 
timate value by LemmQl, no attacker is able to fool the deciphering oracle into 
outputting the ‘wrong’ values for r' (mod ua)- We thus obtain the following. 

Corollary 1. If C is a valid ciphertext with entries defined above, then C3 = 
[r')'^^A (niod Ha) will always unambiguously be decrypted into r' (mod n^)- 

Similarly as in LemmQl the following can be shown. 

Lemma 2. Let C be a valid ciphertext. Suppose an adversary wants to modify 
C so as to obtain another valid ciphertext. Then any non-legitimate choice B2 
will cause the decryption oracle to reject, provided factorization of ua is hard 
and the adversary does not find a collision in h. 

Lemma 3. Assume that an adversary does not find a collision in h. Then, given 
a valid ciphertext C , an adversary can only modify B\ into the non-legitimate 
choice Bi to obtain another valid ciphertext, if he knows the corresponding mes- 
sage and the random value. 

Proof. By CorollaryOl, r' (< nmin) and thus, r = (r')*^ (mod ub) will unam- 
biguously be calculated in the deciphering process. By the non-legitimate choice 
Bi the first step of the decryption procedure will evaluate to —m' (mod ua) 

instead of m' (mod ua). Therefore, m = — (mod ua) ^ (mod ub) will 

instead of (mod n^) be the input for the validity check Because 

of the collision- freeness of h, the test will certainly reject for the valid C2. Conse- 
quently, C2 would need to be adapted so that the test does not reject. Again, by 
the collision-freeness of h, the only way to do so, is to evaluate C2 from M = rn 
and i? = r in (3) . □ 

Corollary 2. Let C be a valid ciphertext with respect to the unknown message 
m relative to r. Then c\ = (mod ha) will always unambiguously be 

decrypted into m' (mod ua). 

In summarizing, we have. 

Theorem 1. For the above cryptosystem it is always true that decryption of an 
encryption of an unknown message yields the message. 

5 Security Analysis of the Proposed Scheme 

5.1 The Notions 

Semantic secnrity. Informally, a cryptosystem is semantically secure (cf. PD. 
if whatever can be computed by an attacker about the plaintext given an ob- 
ject ciphertext, can also be computed without the object ciphertext. Semantic 
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security ensures that no partial information on the plaintext is leaked from an 
object ciphertext to probabilistic polynomial time bounded attackers. We fur- 
ther distinguish between semantic security against (a) chosen plaintext attacks 
and semantic security against (b) adaptive chosen ciphertext attacks. 

Formally, the setup is like this. Let the adversary be given A' s public encryp- 
tion key and also access to (a), the enciphering algorithm, respectively, (b) the 
deciphering algorithm. 

In the case of (b), the adversary makes arbitrary queries to the decryption 
oracle, decrypting ciphertexts of his choice. (In case (a) the adversary never has 
access to the decryption oracle.) 

Next, the adversary chooses two messages, mo, mi, and sends these to the 
encryption oracle, which chooses a bit b S {0, 1} at random, and encrypts m^. 
The corresponding ciphertext C is given to the adversary. The adversary does 
not see the bit b. Now the challenge to the adversary consists of determining for 
which of the two messages C is the ciphertext. 

After receiving the object ciphertext C from the encryption oracle, the ad- 
versary continues to query the corresponding oracle (for (a) respectively (b)), 
subject only to the restriction that in case (b) the query must be different to the 
exact object ciphertext C. 

Finally, the adversary outputs b' S {0, 1} which is his guess of the value b. 
The scheme is semantically secure (with respect to (a) respectively (b)) if 
the probability that b' — b is at most 1/2 -|- e where e is negligibly small. 

Remark 2. Observe that by deterministic encryption (e.g. plain RSA) the same 
message mt, encrypted at different times will always give the same cryptogram 
which would be recognized by the adversary. Therefore, a basic requirement for 
semantic security is that the cryptosystem is probabilistic. 

Plaintext awareness. The idea is that an adversary “knows” the decryption 
of the message which he encrypts in the sense that he cannot produce a ci- 
phertext C without being able to compute the plaintext m for which C is the 
ciphertext. Plaintext awareness implies non-malleability, since it prevents any 
adversary from modifying a given ciphertext so as to induce a desired change in 
the plaintext. For a formal definition of plaintext awareness we refer to m, Q. 

5.2 The Main Results 

We now proceed to show the semantic security and plaintext awareness of the 
modified RSA scheme described above. 

Theorem 2. The above cryptosystem is semantically secure against adaptive 
chosen plaintext attacks assuming that the faetorization of ua = PaPa is hard. 

Proof. Suppose that C\ and C 2 are two valid ciphertexts. Under the factorization 
intractability of nA and the introduction of the random value r, no probabilistic 
polynomial time algorithm can distinguish between C\ and C 2 . Namely, if the 
factorization of ua = PaQa is hard, then extracting the whole values m' from ci, 
respectively r' from C3, is practically impossible. It thus follows from Naslund’s 
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recent results (cf. [^, that all individual bits of Ci and C 3 are secure. Now 
even if h leaks some partial information, by the same argument, all individual 
bits of m and r' are secure, since all the bits induced by the RSA, respectively 
the Rabin function, (mod ua), respectively f{r'), are secure. □ 

Lemma 4. With notation as above, ifC is a valid ciphertext, then any change to 
C 2 conducted without knowing the corresponding message and the random value, 
will cause the decryption oracle to reject, provided the adversary does not jind a 
collision in h. 

Proof. The assertion follows from the collision resistance of h. In detail, given 
any modified C 2 the hash value in the left hand side of 0 will not be equal to 
this C 2 and the test will reject. 

We will show that the adversary needs to have knowledge of the message 
and the blinding factor relative to this message, if he wants to construct a valid 
ciphertext. 

The test 0 will only be passed, if a modified C 2 , C 2 , is evaluated as the 
image of the hash-function h. In other words, the adversary can firstly choose a 
z and set (mod ua) = z. Secondly, the adversary can choose w and set Cg-^ 
(mod Ua) = w. Now he can compute a modified C2 as the hash-value relative to 
z and w as 

(modnB) ) 

and can construct a valid ciphertext from ci = z^®'^ (mod ua) and cg = 

(mod Ua). Since, by construction, the validity check will pass, the decryption 
oracle will return the message — (mod ns) (“aiod ua) which certainly can be 

computed by the adversary. In other words, whenever an adversary can construct 
a valid ciphertext, he also knows the corresponding message. □ 

Similarly, by the collision-resistance of h, we obtain. 

Lemma 5. IfC is a ciphertext, then any modified value of c^, cg, (respectively, 
any modified cj) obtained without knowledge of the message and the correspon- 
ding random value, will cause the decryption oracle to reject, provided the ad- 
versary does not find a collision in h. 

It follows from the proof of LemmQd for C 2 , and similarly, for ci and cg that 
being able to produce a valid ciphertext implies the knowledge of the message. 
We thus have shown. 

Theorem 3. If h is collision-resistant, then the above cryptosystem is plaintext 
aware. 

Theorem 4. The above cryptosystem is non-malleable and semantically secure 
against adaptive chosen ciphertext attacks assuming that (1) the hash function 
h is collision resistant and (2) the factorization of ua = PaIa is hard. 
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Proof. Both assertions are consequences of the established plaintext-awareness. 
The first statement follows, since no adversary can produce a valid ciphertext 
without knowing the corresponding plaintext. Also the second statement follows 
immediately, since querying the deciphering algorithm with any legitimate ci- 
phertext C yields no new information, because the plaintext to this ciphertext 
already has to be known. Thus, any adaptively chosen ciphertext attacker can 
completely be simulated by a chosen plaintext attacker when creating any le- 
gitimate ciphertext. Therefore the chosen ciphertext security follows from the 
above proved chosen plaintext security. □ 

6 Summary 

Designing provable strong cryptoschemes is one of the most fundamental tasks 
in cryptography. Certainly, the one-time-pad provides the theoretically strongest 
possible form of security. However, due to the practical difficulties of this and 
other theoretical secure cryptosystems, many researchers have adapted the no- 
tion of security by relying on some standard complexity-theoretic assumption. 
In this paper we rely on the assumption of the factorization intractability of 
properly chosen large numbers. 

Since RSA is undoubtedly the most popular one among all the factorization 
based encryption schemes, we have proposed some method of strengthening RSA 
against active attacks. By means of probabilistic encoding and by introducing an 
internal validity check routine in the deciphering algorithm the proposed scheme 
is shown to have the property that the adversary can create ciphertexts only 
of strings for which he “knows” the corresponding plaintexts. Consequently, our 
scheme is not only semantically secure but also non-malleable and secure against 
chosen ciphertext attacks. Although provable security typically results in longer 
cryptograms and slower en- and deciphering algorithms, our scheme remains 
practical. In detail, the message length is about twice that of original RSA, plus 
the length of some hash output. Plain en- and decryption require three expo- 
nentiations, respectively. The intertwined signing algorithm requires two addi- 
tional exponentiations in both the en- and deciphering algorithms. Additionally, 
in both the en- and deciphering process, the evaluation of some cryptographic 
hash function is needed. Contrary to the previous RSA enhancements we only 
rely on the factorization primitive and the existence of a collision resistant hash 
function. 
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Abstract. Given an RSA modulus n, a ciphertext c and the encryption 
exponent e, one can construct the sequence 

xo = c mod n, Xi+i = Xi mod n, i = 0 , 1 , . . . 

until gcd{xi+i — xo,n) ^ 1 or i > B, B a. given boundary. If i < 5, there 
are two cases. Case 1: gcd{xi+i — xo, n) = n. In this case Xi = m and the 
secret message m can be recovered. Case 2: 1 7 ^ gcd{xi+i — xo,n) 7 ^ n. 
In this case, the RSA modulus n can be factorised. If i < B, then Case 2 
is much more likely to occur than Case 1. This attack is called a cycling 
attack. We introduce some new generalised cycling attacks. These attacks 
work without the knowledge of e and c. Therefore, these attacks can 
be used as factorisation algorithms. We also translate these attacks to 
elliptic curves. For this case we call these attacks EC generalised cycling 
attacks. Finally, we review criteria that a strong RSA prime must satisfy. 



1 Preliminaries 



The reader is assumed to be familiar with the RSA cryptosystem, 

A brief introduction to Lucas sequences and elliptic curves is given in the appen- 
dix. Throughout this paper we will use the following notations. If Xq, X 2 , ... is 
a sequence of elements, then {A} will denote the whole sequence. If the elements 
are taken modulo a certain number, say p, and the sequence is periodic, then we 
will denote its period by We write a \ b for a divides b. (a|n) denotes the 

Legendre or Jacobi symbol if n is prime or composite, respectively. 



1.1 The Carmichael and Omega Function 

We will make use of the Carmichael and Omega functions A(-) and I7(-,-), res- 
pectively. A(-) is defined as follows (see, for example, [IR ieselS,^ ] : 
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A(2) = 1, A(4) = 2, A(8) = 2, 



and for fc > 3 

A(2'=) = 2A(2'=-^). 

For prime p > 3 and A: > 1 we have 

\{p)=p-l, A(/)=pA(/-i). 

Finally, for n = p^^ ■ pi prime, > 1: 

A(n) = lcm{X{pl^),...,X{pl’‘)). 

The Carmichael function A(-) and the well known Euler totient function are 
intimately connected. If, for example, U{Zn) denotes the multiplicative group of 
units in Z„, then we can describe the following via these two functions: 

— the order of the group |C/(Z„)| is equal to (p{n)] 

~ the maximum order of an element z G U{Zn) is A(n); 

— as a consequence of the above two statements: U{Zn) is cyclic if and only if 
A(n) = 4>{n). 

The Omega function 12(-, •) is defined as follows: 



f2{2,D) 



1 H is even 
3 7A is odd 



and for fc > 1 

12(2'=, Zl) = 2n{2^-\D). 

For prime p > 3 and A: > 1 we have 

n{p,D) =p- (D\p) , (D\p) ^0 
Q{p,D)=2, {D\p) = 0, 
Q{p\D)=pQ{p^-\D) 

Finally, for n = p\^ ■ ... ■ p^^, pi prime, > 1: 

I2(n, D) = lcm{n{pl\D), .. ., f2{pl’‘,D)). 



2 Generalised Cycling Attacks on RSA Moduli n = pq 

2.1 Introduction: The Function Enc{', •) 

In this section we show that all the attacks involve the same function, subse- 
quently called the Enc{-, •) function. Enc{-, •) means a generalised RSA or Rabin 
encryption function. In this paper we define Enc{-, •) for three different mathe- 
matical settings, namely: 
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— the multiplicative group of U{Zn) or U{Zp); 

— Lucas sequences V{P, 1) mod p or V{P, 1) mod n; 

— the additive group of points on an elliptic curve E{Fp) or E{Zn). 

Other mathematical settings are possible. Let m be an element of the corre- 
sponding mathematical setting M. and let x £ Z. Then the function Enc{-,-) : 
M. X Z ^ M. is defined as follows. 

{ rrp for integers modulo a prime or composite 

Vx{m, 1) for Lucas sequences modulo a prime or composite 
X ■ m for elliptic curves over Fp or 

Note that m must be an element of the corresponding mathematical setting 
M. In particular, for the last case (elliptic curve), m must be a point on the 
elliptic curve. From the definition of Enc{-,-), we have Enc{Enc{m, xi),X 2 ) = 
Enc{Enc{m, X 2 ) , Xi) = Enc{m,xiX 2 )- Let now, for prime p and D = P^ — 4 

{ X{p) for integers mod p 

f2{p, D) for Lucas sequences mod p 
p -I- 1 -f for elliptic curves over Fp 

and for RSA modulus n = pq and D = P^ — 4 

{ \{pq) for integers mod n 

42{pq, D) for Lucas sequences mod n 

{p+ l + ti){q+ 1 -I- ^ 2 ) for elliptic curves over 

where (p -I- 1 -I- ti) and {q + I + t 2 ) are the orders of the additive groups of 
the elliptic curves over Fp and Fq, respectively. Observe that now Enc{m,x) = 
m mod p for a: = 1 mod 'f'(p) and Enc{m, x) = m mod n for a; = 1 mod W(n) 
0. For the cycling attacks one now hopes that either F(F(p)) or F(F{q)) for this 
mathematical setting is smooth (smooth is defined below), that is, F{'I'{p)) or 
F{F{q)) has only small factors. F{-) is a function which depends on the particular 
attack chosen. For each of the three mathematical settings, there are now two 
possible cycling attacks. 

Attack 1: a;o = Enc{seed, e^), Xi+i = Enc{xi, e) = Enc{seed, e*^^), a = 0, 1, . . . 

Attack 2: xq = Enc{seed, Vo{P, 1)), = Enc{seed, Vi+i(P, 1)), z = 0, 1, . . . 

where V{P, 1) is a Lucas sequence. 



^ The reader may have noted that !?'(•) does not necessarily coincide with the or- 
der/period of the corresponding mathematical setting. However, the following state- 
ment is always true: the maximum order/period of an element of the corresponding 
mathematical setting divides if’(-)- Also to be more precise, the function !?'(•) has 
one, two or three arguments depending on whether one is working with integers 
modulo a prime or composite, Lucas sequences or elliptic curves, respectively. This 
is omitted for the sake of simplicity. 
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The cycling attacks described under Attack 1 will have a complexity whose upper 
bound is given by min{X{W (p)) , (q))) whereas the upper bound of the com- 
plexity of the cycling attacks described under Attack 2 will be min (12 (S' (p), — 

4), n{'P{q), P'^ ~ 4)). More precisely, the running times of attacks belonging 
to Attack 1 will divide 0{min{X{'l'{p)), \{'P{q)))) whereas the running times 
of attacks belonging to Attack 2 will divide 0{min{Q{9{p), — 4), P{<F{q),P‘^ — 4))). 

In the subsequent sections, we describe cycling attacks mod n. All the sequences 
{X} have a possible empty aperiodic part and a periodic part (or cycle) of length 
'^{x},n- To understand the behaviour of {A} = Xi mod n, we must first study 
{X} mod p and calculate the period '!T^x},p: that is, the length of the periodic 
part of {X} mod p. The aperiodic part, if it exists, is usually very small (O(logp) 
elements). All the attacks have the following calculations in common: 

Algorithm Cycling Attack: 

Input: n, starting values seed, starto, • ■ 
parameters parQ,pari, a boundary B 
Output: “success” ,p,q; or “fail” 



set xq = Enc{seed, •) mod n; 

set start = \ log n\; 

repeat 

set Xi+i = Enc{xi, •) mod n; 
until i > start; 
repeat 

set Xi+i = Enc{xi, •) mod n; 

set test = gcd{xi+i - x start-, n); 
until test yf 1 or i > B; 

If test yf 1 and test yf n then Output( “success” , test, n:test); else Output( “fail” ) ; 

Instead of starting with seed, a random number, it is a good idea to let seed = 
Enc{seed,2). Since all the group orders/periods considered in this paper are 
even, xq may now have half of the original order, or the sequence associated with 
Xq may now have half of the original period. This would increase the efficiency 
of the algorithm by 100%. The only purpose of the first repeat-loop is to skip a 
possible aperiodic part of the sequence {X}. (This repeat loop can be omitted 
if it is known that {A} can not have an aperiodic part.) That is, Xstart should 
now be in the periodic part of {A}. In the second repeat -loop we are trying to 
factorise n. (As in many factorisation algorithms we could accumulate a product 
of xfs mod n and test for the gcd in, say, every 100th step to speed up the 
performance.) There are now three possible cases: 

— The period t:{x},p or X{x},q is less or equal than the boundary B: and 
T^{x},p P X{x},q- In this case, 1 < test < n and the algorithm succeeds. 

— The periods X{x},p and x^xy.q are less or equal than the boundary B-, and 
'^{x},p = '^{x},q- This case occurs with very low probability. In this case 
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test = n and the algorithm fails. We can simply retry the algorithm with 
some other seed and/or parameters. 

— The periods 7T{x},p and 'n{x},q are greater than the boundary B: In this case 
test = 1 and the algorithm fails. 

All the attacks subsequently described have in common that the next element 
Xi+i in the sequence can be calculated from the current element Xi in 0(1) steps. 
We need one theore m for further discussions. A proof of this theorem is given in 
the technical report, [CvsSeh9^ . 

Theorem 1. Let {X} and {T} be two sequences. Let {X} = Xi = seed^ and 
{y} = Vi = Vi{P, 1), let n> 0, gcd{seed,n) = 1. Then 

(i) the period TT[x},n of {X} mod n satisfies: 7T{x},n I 
(ii) the period TT^Y},n of{Y} mod n satisfies: TT{Y},n I T2{n,P^ ~4). 

2.2 Enc{','): Integers mod n 

Attack 1 Let 

xq = seed mod p, Xi+i = x® mod p 

where seed, e > 2. We examine the period of Xi mod p. We first note that Xi = 
seed‘d' mod p. We consider e* mod p — 1. u If p — 1 = e*£ and gcd{e, i) = 1, then 

— the above sequence will have a maximum aperiodic part of length t; 

— for the period tt{x},p we have Tr{x},p I 

The algorithm has a high chance of success if either A(A(p)) or A(A(g)) is either 
small or smooth. 

Prevention of the attack: 

To prevent this attack the designer of a public-key cryptosystem or CSPRBG of 
the RSA or Rabin type must choose p and q such that A(A(p)) and \{X{q)) are 
not small and not smooth. In particular, a strong prime p designed to withstand 
this attack must have the following properties: 

— p — 1 must have a large factor, say t; 

— t — 1 must have a large factor. 

Similar statements can be made about the other prime q. 

^ More precisely, we have to consider e* modulo the order of seed mod p. Since the 
order of seed mod p divides p — 1 and X{x) \ X{y) and n{x,D) \ Q{y,D) for x \ y 
and we only state n^x},p divides some number, everything works out nicely at the 
end. The aperiodic part might be less than the maximum number stated because 
the order of seed mod p divides p — 1 and is not necessarily equal to p — 1. Similar 
considerations need to be made for all the other algorithms but they are omitted for 
the sake of simplicity. 



154 M. Gysin and J. Seberry 



Attack 2 Let 

Xo = seedX° mod p, x\ = seed^^ modp, Xi+i = seedX*+^ mod p 

where seed > 2 and V{P,1) is a Lucas sequence. We examine the period of 
Xi modp. We consider V{P,1) modp — 1 and note that 'Xv{p,i),p-i \ ^{p — 
1, — 4). There is no aperiodic part. The algorithm has a high chance of success 

if either l7(A(p), — 4) = I7(p— 1, P^ — 4) or l7(A(g), P^ — 4) = I7(g— 1, P^ — 4) 

is either small or smooth. 

Remark: 

In the repeat loop = xf ■ x~\ = seed^^'^^d)-Vi-i(pp) _ seg(jXi+iiPd) ^ 
Therefore, one does not need to keep track of the individuals values of V (P, 1) 
since these are calculated implicitly. 

Prevention of the attack: 

To prevent this attack the designer of a public-key cryptosystem or CSPRBG of 
the RSA or Rabin type must choose p and q such that l7(A(p), P) and f2{X{q),D) 
are not small and not smooth for any values of P. In particular, a strong prime 
p designed to withstand this attack must have the following properties: 

— p — 1 must have a large factor, say t; 

— t — 1 and < + 1 must have a large factor. 

Similar statements can be made about the other prime q. 

2.3 Enc{','): Lucas Sequences 

Attack 1 Let 



Xo = Vi{P, 1) mod p, Xi+i = Vgi+i (P, 1) mod p 

where e > 2. We examine the period of Xi mod p. If (P^ — 4|p) = 1, then we 
have to examine e^ mod p — 1, if (P^ — 4|p) = —1, then we have to examine 
e^ mod p + I. The case (P^ — 4|p) = 0 occurs with neglible probability. The 
case (P^ ~ 4|p) = 1 has the same complexity as the attack in Sectio Fi~2l 2 (since 
in this case A(P(p, P^ — 4)) = A(A(p))). Therefore, we assume (P^ — 4|p) = — 1. 
If, now, p+1 = e*£ and gcd{e,£) = I, then 

— the above sequence will have a maximum aperiodic part of length t; 

— for the period we have tt{x},p \ X{£). 

The algorithm has a high chance of success if either X{il{p, P^— 4)) or X{f2{q, P^ — 
4)) is either small or smooth. 

Remarks: 

(i) We need to explain how to calculate V(.*+i {P^ 1) mod p from 14* {P, 1) mod p. 
We let 

0 1 
-1 P ’ 



M = 
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then Vj can easily be derived from (see also appendix), (ii) For e = 2 the 
calculations in the repeat-loops can be simplified to Xi+\ = xf — 2 mod n. This 
is because Xi+\ = V 2 {xi, 1) = x1 — 2 mod n. 

Prevention of the attack: 

To prevent this attack the designer of a public-key cryptosystem or CSPRBG of 
the RSA or Rabin type must choose p and q such that X{0{p, D)) and X{f2{q, D)) 
are not small and not smooth for any values oi D. In particular, a strong prime 
p designed to withstand this attack must have the following properties: 

— p — 1 and p + 1 must have a large factor, say t and w, 

— t — 1 and re — 1 must have a large factor. 

Similar statements can be made about the other prime q. 

Attack 2 Let P(P, 1) and V{P, 1) be two Lucas sequences. Let 

^0 = 1) mod p, x^+i = 1) mod p 

We examine the period of Xi mod p. Since V (P, 1) mod p has a period which di- 
vides I7(p, — 4), Xi mod p has a period which divides 17(17 (p, P^ — 4), P^ — 4). 

There is no aperiodic part. Note that I7(p, P^ — 4) = p — 1, if (P^ — 4|p) = 1 and 
I7(p, P^ — 4) = p -I- 1, if (P^ — 4|p) = — 1. The case (P^ — 4|p) = 0 occurs with 
neglible probability. We only examine the case (P^ ~ 4|p) = —1 and, if p -I- 1 
has a large factor, say t, ^P^ ~ = — 1 since all the other cases are implicitly 

covered by the above attacks. 

Remarks: 

(i) Again we need to describe how one can calculate i)(P, 1) from 

Fp.(p i)(P, 1) in 0(1) steps. The idea is similar to the above. Let M be as above 
and let Mi be a sequence of 2 x 2 matrixes. In particular. 

Mo = = m 2 ^ 

and then 

Mi+i = Mf X M~_\ = m^'4(p.i)-K-i(Ai) ^ ^Li+i(P,i)_ 

Therefore, there is no need to keep track of the individual values of R(P, 1) since 
these are calculated implicitly, (ii) A simple implementation of this algorithm 
turns out to be about two to three times slower than a simple implementation 
of the algorithm in Section due to the many matrix-operations involved. 
However, this algorithm is the most general one, in the sense that it induces the 
strongest requirement on a strong prime p or q (see also below). In particular, 
a strong prime p or g designed to withstand this attack withstands all previous 
attacks. 
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The algorithm has a high chance of success if either — 4), — 4) or 

P^ — 4), P^ — 4) is either small or smooth. 

Prevention of the attack: 

To prevent this attack the designer of a public-key cryptosystem or CSPRBG 
of the RSA or Rabin type must choose p and q such that fI{fi{p,D),D) and 
Q{Q{q,D),D) are not small and not smooth for any values of D and D. In 
particular, a strong prime p designed to withstand this attack must have the 
following properties: 

— p — 1 and p + 1 must have a large factor, say t and w, 

— t — 1, ru — 1 and t + 1, w + 1 must have a large factor. 

Similar statements can be made about the other prime q. 

2.4 Enc(', •): Elliptic Curves 

Two more attacks involving elliptic curves are elaborated in the following sec- 
tions. These are slightly different to the generalised cycling attacks, since there 
might be a failure of the inversion step during the addition of points on the ellip- 
tic curve (which is the most welcome since then we can factorise n) . However, the 
general idea is exactly the same except that the mathematical setting involved 
is the additive group of points on an elliptic curve. The elliptic curves are the 
most promising because of the large variety of group orders they offer. That is, 
if below one elliptic curve “does not work” there is a chance that another one 
“does work and will be successful” . 

Attack 1 Let Xq = P = (x,y) be a point on an elliptic curve over Fp, let 
e > 2. We then form the sequence of points {X}, where = e ■ Xi. (That is, 
Xi+i = Xi + Xi + . . . + Xi, where ‘-I-’ is performed e times and ‘-I-’ corresponds 
to the addition of two points on the elliptic curve over Fp.) Let o = ^E{Fp) 
denote the number of points on this particular elliptic curve. (We do not make 
any further considerations about the group structure of E{Fp). This does not 
falsify our analyses - however upper bounds given could be slightly improved by 
considering such group structures.) If o = and gcd{e,£) = 1, then 

— the above sequence will have a maximum aperiodic part of length t; 

— for the period we have 'n{x},p I 

The algorithm: 

The algorithm takes a point P = (x, y) and the parameter a as an input. These 
determine the elliptic curve = x^ + ax + b mod n uniquely. The function 
xcoord{P) returns the x-coordinate of the point P. There are now two possible 
outcomes that lead to the factorisation of n: (i) Xj+i = Xstart mod p, or, Xj+i = 
Xstart mod q but not both (in fact, xcoord{xi+i) = xcoord{x start) mod p, or, 
xcoord{xi+i) = xcoord{x start) mod q but not both is sufficient and may occurs 
earlier), (ii) The inversion step for the partial addition of two points on E{Z„) 
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fails. This is indicated by the variable invfail in the algorithm. If this occurs, 
then the variable test will be set accordingly, that is, test now holds p or q. 

An algorithm for factorising n = pq can now be sketched as follows: 



Input: n, P = (x,y), a, e, B; Output: “success” ,p,q; or “fail” 



set b = — ax mod n; 

set start = \ logg n\; 
set xq = P; 
repeat 

set Xi+i = e X Xi/ 
until i > start; 
repeat 

set Xi+i = e X Xi/ (* This sets also invfail and test *) 
if not invfail then set test = gcd{xcoord{xi+\) — xcoord{x start) ,n); 
until test ^ 1 or invfail or i > B; 

If test yf 1 and test yf n then Output( “success” , test, n:test); else Outputf “fail” ) ; 
Remarks: 

(i) Instead of testing gcd{xcoord{xi+i) — xcoord{x start), n), we could test 
gcd{ycoord{xi+i) — ycoord{x start), n) or both, (ii) Doubling the x-coordinate of 
a point is independent of the y-coordinate. Therefore, for e = 2, the algorithm 
can be simplified as follows: choose a, b, xq G Zn such that Xq + axo + & is a 
square. In the repeat-loops we set: 



^2 + 1 



xf — 2axf + — 8xtb 

4xf + 4axi + 46 



mod n. 



This equation is obtained from the doubling of point equation and the elliptic 
curve equation and some simple transformations. 



Prevention of the attack: 

Since the orders o of various elliptic curves are in between p+l — t and p+l + t, 
where = 4p, it is impossible to design a strong prime to withstand all of these 
specific attacks. The best advice is to choose a large prime p. “Large” depends 
on security requirements and on the amount of computing cycles that can be 
performed in a given time unit. This will be discussed in another paper. 



Attack 2 Let P = (x,y) be a point on an elliptic curve over Fp. Let V{P,\) 
be a Lucas sequence. We then form the sequence of points {X}, where xq = 
Vo{P,l) ■ P, Xi+i = Vi+i(P, 1) • P. Let o = ffE{Fp) denote the number of 
points on this particular elliptic curve. For the period TT^xy.p we now have 
T^{x},p I 0{o,P‘^ — 4). There is no aperiodic part. 
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The algorithm: 

The algorithm takes a point P = {x,y) and the parameter a as an input. These 
determine the elliptic curve + ax + b mod n uniquely. The function 

xcoord{P) returns the x-coordinate of the point P. As above there are now 
two possible outcomes that lead to the factorisation of n. The second possibility 
(failure of the inversion step) is again indicated in the variable invfail and 
test below. Given P, the algorithm calculates the sequence {X} where Xi = 
Vi{P, l)-P. Note that Vi{P, 1) does not need to be calculated explicitly. If Xi-i = 
Vi-i{P, 1) • P and Xi = Vi{P, 1) • P then Xi+i = P ■ Xi - x^-i = Vi+i{P, 1) • P. 
An algorithm for factorising n = pq can now be sketched as follows: 



Input: n, P = (x,y), a, P, B; Output: “success” ,p,q; or “fail” 

set b = y^ — x^ — ax mod n; 

set xq = 2 X P; 

set xi = P X P; 

set start = 0; 

repeat 

set Xi+i = P X Xi — Xi-i; (* This sets also invfail and test *) 
if not invfail then set test = gcd{xcoord{xi+\) — xcoord{x start), n); 
until test ^ 1 or invfail or i > B; 

If test yf 1 and test yf n then Output( “success” , test, n:test); else Output( “fail” ) ; 
Prevention of the attack: 

The comments for the prevention of this attack are now similar to those of the 
previous subsection. 



3 Comparison with Pollard’s p Method 

Observe the similarity of the algorithm in Sections It!. J and for e = 2 and 
some instances of Pollard’s p method, (Polla.rdT^ . If we compare these three 
methods for factorising an RSA modulus n = pq we have: 

xq = seed, Xi+i = xf + c mod n, c yf 0, —2, Pollard’s p method 

Xq = seed, Xi+i = xf mod n, algorithm in 12.21 

Xq = seed, Xi+i = xf — 2 mod n, algorithm in 12.51 

Note that Pollard’s p method requires c yf 0, —2 while the other two algorithms 

use exactly these values of c. A contradiction? Not according to the authors. 
The idea behind Pollard’s p method is to construct a cyclic sequence with some 
random properties. It can be shown that due to these random properties, facto- 
risation of n is obtained after 0{y/p) or 0{y/q) steps (whichever is smaller). The 
algorithms in Section Iz.'A a.nd try to exploit some anticipated structure of p 
and/or q in order to achieve factorisation - a different scenario. 
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4 Conclusion and Future Research 

Strong RSA Primes A strong RSA prime until now was a prime p where (1): 

— p — 1 has a large factor, say t] 

— p+1 has a large factor; 

— t — 1 has a large factor. 

Applying our generalised cycling attacks described above, we obtain the following 
symmetric conditions. A strong RSA prime is a prime p where (2): 

— p — 1 and p + 1 both have a large factor, say t and w; 

— t — 1 and t + 1 both have a large factor; 

— w — 1 and tc + 1 both have a large factor. 

There is no reason to prefer (1) to (2) (see also below). The attacks that give rise 
to (2) have the same order of complexity as the attacks that imply (1). However, 
it is certainly debatable to drop all of these conditions, that is, (1) and (2) (or 
only insist on p — 1 and p+1 having a large factor). This is because (1) and 
(2) offer no protection against the elliptic curve method, [T.eustra^ and the 
EC generalised cycling attacks presented in this paper. Moreover, primes that 
satisfy (1) and/or (2) might be too “sparse” and/or “not random enough” - a 
disastrous scenario from an information security point of view. 

At this moment the attacks described in this paper are of theoretical value only. 
We do not anticipate that the attacks pose a practical threat to RSA if the primes 
are chosen large enough. In future research we will (i) quantify primes of a given 
size that are susceptible to generalised cycling attacks and therefore throw more 
light on the above discussion; (ii) examine and discuss the EC generalised cycling 
attacks and variants thereof. 



Maurer’s Theorem 6, 



Does not Apply Maurer’s Theorem 6 



in [ManrprO^ does not apply to the attacks presented here. 



Page 



148 states that “Iterated t-fold encryption in an RSA cryptosystem reveals the 
plaintext x if and only if x® = x{ mod m) for some u < t, i.e., if and only if 
e“ = 1( mod ordm{x)) for some u < f” (remark: m in [ManrerQ^ is the RSA 
modulus, that is, n in our paper). Page 149 concludes “Theorem 6 illustrates 
that, in order to prevent decipherability by iterated encryption, the condition, 
suggested by Rivest [78] and other, that p —1 (where p is the largest factor of 
p—1) must also have a very large prime factor p , is unnecessary.” The scenario 
considered in |m aurer nni corresponds to Case 1 in the abstract of our paper. 
Case 2 (cycling attacks and EC generalised cycling attacks) is not considered. 
Hence, Theorem 6 covers only Case 1 and does not apply to our attacks. 
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A Appendix 

A.l Lucas Sequences 

Let P > 3, Vq = 2, Vi = P and for n > 2, Vn = PVn-i — QV„- 2 - This sequence 
is called a Lucas sequence. (Often instead of only writing Vn we write Vn{P, Q)- 
The whole sequence {V} will be denoted by V{P, Q).) The following properties 
(amongst many others) are elementary and well known: 

1. If a and f3 are distinct roots of the polynomial — Px + Q = 0, then 
Vn = a'^ + 13'^. 

2. Vn{Vk{P, Q),Q^) = Vnk{P, Q)- In particular, if Q = 1, then Vn{Vk{P, 1), 1) = 
Vnk{PA) = VkiVniP, Q) A) ■ This property forms the basis for many RSA 
and ElGamal type cryptosystems. 

Note that if Q = 0 then Vn = P" for n > 1. In other words, Lucas sequences 
can be looked at as generalised exponentiation. This property and the above 
mentioned property (2.) is the basis for many RSA and ElGamal type cryptosy- 
stems, cryptographically secure pseudo-random bit generators (GSPRBG), and 
factorisation algorithms based on Lucas sequences. 

Let us now try to calculate the period Trv(p,i),p of V{P, 1) mod p, p prime. Let 
D = P^ — 4Q = P^ — 4, D ^ 0 and assume D is square-free. From above we 
have 

p + Vd ^ p-Vd 

and using Fermat’s theorem in the quadratic field Zp['/D] 

cP’ = = ^{P^ = \{PP'JP^) mod p. 

Since 

\/W = (P2)P = = {D\p) Yd mod p, 

we obtain 

p _ j a mod p (D\p) = 1 
~ \ p mod p (D\p) = —1 

and similarly for (3 

ap mod p {D\p) = 1 

^ ~ ( Of mod p {D\p) = —1 
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It can be shown that, 




GF{p) {D\p) = l 
GF{p^) {D\p) = -1 



This property allows us to calculate I^_i, Vp, I^+i, 1^+2 niod p for the two ca- 
ses {F>\p) = 1 and {D\p) = —1. The values are shown in Table Q Note that 
Vp{P, 1) = P mod p. This property can be used for probablistic primality tests 
based on Lucas sequences. 





Vb-i 


Vp 


Vp+i 


Vp+2 


(D\p) = 1 


2 


P 


V 2 


Vb 


(D\p) = -1 


O 2 


P 


2 


p 



Table 1. Some values of V{P, 1) mod p. 



Since Vb = 2, Vi = P and the sequence is fully determined by its last two ele- 
ments we now have for (D\p) = 1, V{P,1) mod p repeats itself after at most 
p—l steps; and for {D\p) = —1, V{P, 1) mod p repeats itself after at most p+1 
steps. More precisely, ttv{p,i),p \ P~ (D\p). 

V{P, 1) mod p is symmetric. More precisely, Vi = Vb-vcpi) p-i mod p. This can 
be seen as follows. I4_i = PVi - Vi+i. Therefore, = PV^v(p,d,p ~ 

I4v,(pi)p+i = PVo — Vi = P = Vi mod p as claimed. The proof that Vi = 
Vttv^p 1 ) p-i mod p follows now by induction on i. 

The calculation of the period t^v{p,Q),p of V{P, Q)^ Q ^ 1 can be done similarly, 
and it can be shown that, in this case, 'Pv(p,Q),p \ P^ ~ 

It is important to realise that 14 (P, 1) (and in general Vk{P,Q)) can be calcu- 
lated in 0{logk) steps by square-and multiply techniques. In other words, one 
does not have to calculate Vb, . . . , Vb- 2 , 14 -i in order to be able to calculate I 4 . 

One possibility to calculate I4(P, 1) in O(logfc) steps is the following. Consider 
the 2x2 matrix 



and the matrix multiplication 

a 
b 

It can be shown, llVaida89l . that a = I4(P, I) and b = I4+i(P, I). (and 
therefore 14) can be calculated in O(logfc) steps by square-and multiply tech- 
niques. 
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A. 2 Elliptic Curves 

We only give a brief introduction into elliptic curves. The reader is referred to 
LVlenezeslIHI for more details. We only consider elliptic curves over the field Fp 
or the ring Zn, where n = pq, p, q two primes > 3. 

An elliptic curve E is the set of solutions (x, y) to the affine Weierstrass equation 



together with a point at infinity denoted by O. If if is over Fp or if E is over Zn, 
we denote the solutions to © by E{Fp) or E{Zn), respectively. The number of 
solutions to © including O will be denoted by #E{Fp) or respectively. 

If 4a^ + 276^ ^ 0 mod p, then it can be shown that E{Fp) is an abelian group 
by defining a suitable operation ‘+’ on its points. O is the identity element. 
That is, P + O = O + P = P. For P = (xi,yi), Q = (x2,y2), P O Q, 
P + Q is defined as follows. If X\ = X2 and y2 = —yi, P + Q = O. Otherwise 
P + Q = R = {x 3 ,y 3 ), where 



Let E be an elliptic curve over Fp. It is well known that E{Fp) ~ Z^ x 
where ri 2 | rii and U 2 \ p — 1. Furthermore, ^E(Fp) = p + 1 + 1, where < 4p. 

We can generalise these addition laws to the case E(Z„). Clearly, E{Zn) will not 
be a group, since the inversion step will not be possible if the denominator and 
n are not co-prime. Therefore, we call this operation partial addition. Whenever 
partial addition on E{Zn) is defined, we have for P = (x,y) S E{Zn), Pp = 
(x mod p,y mod p) € E(Fp) and Pq = (x mod q,y mod q) € E{Fq). Therefore, 
this partial addition will have the following properties: 



y^ = x^ + ax + b, 



( 1 ) 



x:i = - Xi - X2, ys = A(xi - X 3 ) - ?/i, 



and 




— if it is defined, it will yield a new point on E(Zn)', 

— if it is not defined, it will lead to the factorisation of n. 
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Abstract. An efficient implementations of modular exponentiation, i.e., 
the main building block in the RSA cryptographic scheme, is achieved 
by first designing a bit-level systolic array such that the whole procedure 
of modular exponentiation can be carried out entirely by a single unit 
without using global interconnections or memory to store intermediate 
results, and then mapping this design onto Xilinx XC6000 Field Pro- 
grammable Gate Array. 



1 Introduction 

Many popular cryptographic schemes, such as the RSA scheme m, ElGamal 
scheme |B|, Fiat-Shamir scheme [E|, etc., make extensive use of modular expo- 
nentiation of long integers. However, it is a very slow operation when performed 
on a general purpose computer. A cheap and flexible modular exponentiation 
hardware accelerator can be achieved using Field Programmable Gate Arrays |^. 
In this paper we do not compete with industrial-strength special purpose hard- 
ware for modular exponentiation. Rather we use a complexity of the problem 
as a benchmark for evaluating computing power of fine grained FPGAs, and for 
developing a more systematic methodology for their programming. 

We propose a two-step procedure for an implementation of modular expo- 
nentiation on FPGAs. The main idea is as follows. Bit-level systolic arrays share 
many limitations and constraints with FPGAs; both favor regular repetitive 
designs with local interconnections, simple synchronisation mechanisms and mi- 
nimal global memory access. While programming FPGAs is still pretty much 
an ad hoc process, there is a mature methodology of bit-level systolic systems 
design. Thus, to achieve a good FPGA implementation, it may be beneficial first 
to design a systolic array for a given application, and then map this array onto 
FPGAs in a systematic fashion, preserving the main properties of the systolic 
design. 

In this paper an efficient systolic array for a modular exponentiation such 
that the whole exponentiation procedure can be carried out entirely by the single 
systolic unit without global interconnections or use of global memory to store 
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intermediate results is designed first. This procedure is based on a Montgo- 
mery multiplication, and uses a high-to-low binary method of exponentiation. 
Moreover, this array is expected to be faster than similar devices performing 
exponentiation by repeated modular multiplications of an integer by itself im 

0 - 

The next step consists of a systematic mapping of the systolic array onto 
fine grained FPGAs. During this experiment a number of observations emerged, 
which we present in this paper. Our final design accommodates a modular 
exponentiation of a 132-bit long number on one Xilinx XC6000 chip comprising 
64 X 64 elementary logic cells. 

Reported in this paper hardware implementation relies on configurability of 
FPGAs, but does not use run-time reprogrammability or/and SRAM memory 
(intermediate results are stored in registers implemented within individual cells) . 
This makes our design simpler and easy to implement. The price to pay is that 
more chips are needed to implement RSA with a longer key. 4 Kgates, or one 
XG6000 chip, is required for modular exponentiation of 132-bit long integers. 
512-bit long integers need 4 XG6000 chips connected in a pipeline fashion, or 16 
Kgates. The bit rate for a clock frequency of 25 MHz can be estimated to be 
approximately 800 Kb/sec for 512 bit keys, which is comparable with the rate 
reported in a fundamental paper of Shand and Vuillemin and an order of 
magnitude better than that the ones in 0 and 

2 Modular Exponentiation of Long Integers 

The main and most time consuming operation in the RSA algorithm is modular 
exponentiation of long integers. The RSA Laboratories recommended key sizes 
are now 768 bits for personal use, 1024 bits for corporate use, and 2048 bits for 
extremely valuable keys. A 768-bit key is expected to be secure until at least the 
year 2004. 

A modular exponentiation operation M® mod n cannot be implemented in a 
naive fashion by first exponentiating M® and then performing reduction modulo 
n, since even if M and e have only 256 bits each, the intermediate result M® 
contains ~ 10®° digits. Hence, the intermediate results of the exponentiation are 
to be reduced modulo n at each step. The straightforward reduction modulo n 
involves a number of arithmetic operations (division, subtraction, etc.), and is 
very time consuming. Therefore, special algorithms for modular operations are 
to be used. 

In 1985, P. L. Montgomery rpT )] proposed an algorithm for modular multi- 
plication AB mod m without trial division. In ^ different modular reduction 
algorithms for large integers were compared with respect to their performance 
and the conclusion was drawn that for general modular exponentiation the 
exponentiation besed on Montgomery’s algorithm has the best performance. 

2.0.1 Montgomery Multiplication 

Let A, B be elements of Z^, where Zm is the set of integers between 0 and m — 1. 
Let h be an integer coprime to m, and h > m. 
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Definition. Montgomery multiplication (MM) is an operation 

h,m _ 

A ® B = A ■ B ■ h~^ mod m. (1) 

Implementation of this operation is much easier than a normal reduction 
modulo m ; and is based on some facts from number theory. The use of MM 
does not result in the desirable speed-up immediately. To compute AB mod m, 
a computation of MM is to be performed twice: 

h,m 

1. C = A B = A ■ B ■ h~^ mod m, and 

h,m 

2. C 0 {h^ mod m) = ABh~^ • • h~^ mod m = AB mod m, 

where mod m is computed in advance. The advantage of using two Montgo- 
mery multiplications instead of one operation of plain modular multiplication is 
uncertain. 



2.0.2 Montgomery Exponentiation 

An efficient way to compute AB mod m using MM is by exploiting special 
representations of A and B. 

Definition. X is called an image of X if X = X ■ h mod m, h > m. 

If h and m are relatively prime, then there exists a one-to-one correspondence 
between X and X. MM of A and B is isomorphic to the modular multiplication 

h,m x-v h,m 

of A and B. Indeed, A ® B— {Ah mod m ® {Bh mod m) = {AB)h mod m = 
A - B. The reduction of X to X and vice versa can be carried out on the basis 
of MM: 

X 0 {h^ mod m) = X ■ hrh ^ mod m = X, (2) 

x-v h,m 

X 0 1 = X ■ h mod TO • I • h~^ mod m = X. (3) 

By virtue of the isomorphism of modular multiplication and MM, the use of the 

h,m 

images is very convenient for exponentiation. Let ( 0 X)” denote (n — 1) MMs 
of X by itself. To compute Y = X" mod to, we should perform three steps: first, 

^ ^ h,m ^ 

convert X to X by 0 ; next, realize X = ( 0 X)" = X"; and finally, convert 
X to X by 0. 



2.1 Algorithm for Implementation of Montgomery Mnlti- 
plication 



Several algorithms suitable for hardware implementation of MM are known m 
In this paper, the design of a systolic array is based on the algorithm 
described and analysed in na. Let numbers A, B and to be written with radix 
2 : 

Af-l M M-1 



A=J2a^■2\ B = Y,h-2\ 

2=0 2=0 



^ TO* • 2 \ 
2=0 



m — 
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where a^, bi, rrii G GF(2), N and M are the numbers of digits in A and m, 
respectively. B satisfies condition B < 2m, and has at most M + 1 digits, m is 
odd (to be coprime to the radix 2) . Extend a definition of A with an extra zero 
digit ajv = 0. The algorithm for MM is given belovQd) . 



s := 0; 

For i := 0 to do 
Begin 

Ui '■= ((so + at * bo) * w) mod 2 
s := {s + Ui * B + Ui * m)div2 

End 



(4) 



Initial condition B < 2m ensures that intermediate and final values of s are 
bounded by 3m. The use of an iteration with ajv = 0 ensures that the final 
value s < 2m m- Hence, this value can be used for B input in a subsequent 
multiplication. Since 2 and m are relatively prime, we can precompute value 
w = (2 — mo)~^ mod 2. An implementation of the operations div2 and mod2 
is trivial (shifting and inspecting the lowest digit, respectively). Algorithm (0 
returns either s = A - B ■ 2“"“^ mod m or s + m (because s < 2m). In any case, 
this extra m has no effect on subsequent arithmetics modulo m. It should be 
noted, that the number of iterations in (0) affects hm- In our case, (0 presents 
the implementation of (JQl with h = 2^+^. 

2.2 Graph Model for Montgomery Multiplication 

Using standard methods for systolic systems design, first we construct a data 
dependency graph (also referred as DG, or graph model) for AlgorithnQd) . This 
graph is depicted in Fig. 1 (see also [II 7116) 1. For N- and M-digit integers A and 
B, a graph consists of A^+2 rows and M+1 columns. The i-th row represents the 
i-th iteration of ®. Arrows are associated with digits transferred along indicated 
directions. Each vertex v{j,i), i G {0, ...,A^},j G {0, ...,M} is associated with 
the operation 

+ 2 • Cout ■= + ai ■ bj + Ui ■ m^ + Ci„, 

(i) 

where s) denotes the j-th digit of the i-th partial product of s, Cout and 
Cin are the output and input carries. Rightmost starred vertices, i.e., vertices 
marked with , perform calculations of Ui := ((sq + * bo) * w) mod 2 besides 

an ordinary operation. Using standard notation, the vertex operations can be 
specified in terms of inputs/outputs as follows: 



^out 2 * Cout • — CLiu ' biu -\- Ui- 



^out • bout • 

^out ■ — ^in-i “^out ■ — 



( 5 ) 



for plain vertices, and 
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^out ■ (^in ^in ' ^in) ' '^ini 

^out ■ — ^in ' ^inj'^in ' ‘^in) i ( 6 ) 

^out • — ^out • — ^out • — ^^ini 

for starred vertices, where maj 2 (si„, Oi„ • &i„, Uin ■ rriin) is 1 if at least two out of 
three entries are Is; otherwise it is 0. 




h,m 

Fig. 1. Graph model for A ® B\ case oi N = 2, M — 3. 



2.2.1 High-to-Low Binary Method of Exponentiation 

If instead of digits A we input digits B both, at the topmost and rightmost 
vertices of the graph in Fig. 1, then the graph model represents a calculation of 

h,m h,m 

B (g) S = ( (g) s)2, 



h^m 

called yi-squaring. To represent the computation of ( ® B)^, two graphs can 
be joined in a single graph by connecting s^-outputs of the first graph with 
6j-inputs of the next (identical) graph, in which rightmost inputs at get digits 

h,m 

of B as before. To compute ( 0 S)", we will need n — 1 joined graphs. The 
resulting graph model consists of vertices located in a rectangular domain Vi = 
{ti(f,j)|0 < i < n X {M + 2) — 1, 0 < j < M + 1}. The graph is almost 
homogeneous, with exceptional starred vertices in the rightmost column. 

However, a faster way to compute mod m is by reducing the computation 
to a sequence of modular squares and multiplications HS| Let [no . . . Uk] be a 
binary representation of n, i.e., n = ng + 2ni + + ••• + 2^rik, rij G GF(2), 
k = [log 2 n\, Uk = 1. Let f3 denote a partial product. We start out with (3 = B 
and run from nu-i to no as follows: if rij = 0, then f3 := if Uj = 1, then 
(3 := P^*B. Thus, we need at most 2k operations to compute B^. This algorithm 
has an advantage over a low-to-high binary method of exponentiation since, 
when implemented in hardware, it requires only one set of storage registers for 
intermediate results as opposed to two for a low-to-high method di. 
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2.3 Graph Model for Squaring 

To perform M-squaring the dependency graph for M-multiplication can be mo- 
dified in such a way that all the bj’s inputs enter the graph only via the top-row 
vertices jH|. This eliminates rightmost a^-inputs entirely. To deliver all bjS to 
the rightmost vertices, we have to pump them through the graph in a direction 
determined by vector (1, —1). To do it, additional arcs Xj’s for propagation of 
bj’s digits have to be added to a dependency graph in Fig. 1. Vertex operations 
are to be slightly modified to provide propagation of these digits: each non- 
starred vertex just transmits its a;-input data to an cc-output, while when arriving 
at the rightmost vertices, these data are “reflected” and propagated to the left as 
if they were ordinary a^’s input data. It is known that the output value s < 2m. 
Hence, we need at most M +1 rows for the “reflected” factor and an additional 
row for the extension with an extra zero digit. A graph model for M-squaring is 
depicted in Fig. 2. 




h,m 

Fig. 2. Graph model for 0 B : case of M = 3. 

Using standard notation, the vertex operations for M-squaring can be speci- 
fied in terms of inputs/outputs as follows: 



^out 2 • Cout ■ — ^in ' ^in * ’^in Gn? 

^out • — ^iri'! ^out • — ^in-i 

^out ■ — ^in-! '^out ■ — ^out ■ — 

for plain vertices, and for starred vertices the operation is: 

U . — (^Sin Xin ■ ‘ '^ini 

^out 2 • Cout ^in ~\~ Xiu * bin ‘ 

^out ■— ' bin-,Uin ' ^in) ■> 

^out ■ ^1 ^out ■ ‘^ini bout ■ bim Xflout • 



(7) 



( 8 ) 
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2.4 Linear Systolic Array for Modular Exponentiation 

A graph model for an exponentiation as a whole is constructed as a composition 
of graphs for M-multiplication and M-squaring by joining outputs of one graph 
with corresponding inputs of the consecutive graph. There are at most 2k gra- 
phs altogether, and the precise number of required graphs for M-multiplication 
and M-squaring and the order in which they occur in the composition is fully 
determined only by the binary representation of n. The vertices of the resulting 
graph constitute a rectangular domain V 2 = {?;(*, j)|0 < i < 2k x {M -1-2), 0 < 
j < M + 1}, where k = [log 2 nj .0 

The next stage of the systolic design is a space-time mapping of domain V 2 
onto a one-dimensional domain of processing elements (PE). Spatial mapping 
is determined by a linear operator with matrix P = (1 0EPI6], which maps an 
indefinitely long composition of the cohered DGs onto a linear systolic array with 
M -I- 1 processing elements: each column of vertices is mapped onto one PE, as 
shown in Fig. 3. Hence, each PE in Fig. 3 has to be able to operate in two modes. 
To control the operation modes, a sequence of one-bit control signals r is fed into 
the rightmost PE and propagated through the array. If r = 0 the PE implements 
an operation for M-multiplication, if r = 1, for M-squaring. The order in which 
control signals are input is determined by the binary representation of n. A 
timing function that provides a correct order of operations is t(v) = 2i + j ITHI . 
The total running time is thus at most ( 4 [log 2 n\ + 1)M + 8 [log 2 n\ time units. 




Fig. 3. Linear Systolic Array. 



3 Logic Design of the FPGA Implementation of Montgo- 
mery Exponentiation 

Our next step is to implement the systolic array on FPGAs. The purpose of 
this experiment is threefold: firstly, derive a systematic method of mapping 
systolic algorithms into a sea of cells; secondly, construct an efficient FPGA 
implementation of a particularly important application; and thirdly, investigate 
the limits of a fine grained FPGA chip for modular exponentiation. We conducted 
our experiments with Xilinx XG6000, comprising 64 x 64 logic cells. 

3.1 Inpnts and Ontpnts 

To meet limitations of FPGAs that input/output ports are located along the 
borders of the chip, we found the following ideas fruitful. The first step of any 

^ 2k X (M -I- 2) is the largest number of all possible rows in a resnlting graph model. 
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exponentiation is always squaring, /3^; but this step can be implemented as 
multiplication (3 ■ [3 (where [3 = B, an input number). Since all Si’s are O’s at the 
first step of any multiplication and squaring, and for all other steps the Si’s are 
to be the results of the previous step, we can use registers to store intermediate 
Si’s, and instead of loading O’s from the host, just set all these registers to 0 
initially. The dependency graph for M- multiplication does not have inputs x/s, 
i G {0, ...,M + 1}; hence, the final design does not need these inputs since 
input values for Xi’s required for M-squaring will be generated later, and can 
be loaded from the registers containing the results sj’s of the previous stage of 
computations. 

All inputs bi’s for the topmost row of the first graph for M-multiplication must 
receive corresponding bits of input B (the same as the rightmost inputs a^’s) 
while for all consecutive graphs these inputs are to be connected with sj’s- or bj’s- 
outputs of the previous graph, depending of whether this stage is multiplication 
or squaring. An additional control signal a must be used to provide the correct 
assignment for registers associated with top row vertices. Thus, instead of having 
M+1 “vertical” inputs for bi’s, we shall use registers and load them initially with 
corresponding bits bi’s from inputs Ui’s; new values computed at later stages and 
used as inputs for the consequent graph, will be reassigned to these registers as 
described above. Hence, the only I/O ports actually needed in the design, are 
located at the rightmost and leftmost processing elements. 

3.2 Logic Design for the Non-starred PE 

Consider now the logic design for implementation of an individual PE in details. 
A minor optimisation first. Modes of the plain PE for multiplication and squaring 
differ only by the transmission or absence of the transmission of data Xi, and 
the control signal r is used to distinguish these two modes. However, Xi’s do not 
affect computations in the non-starred PEs; they are used only in the rightmost 
(starred) PEs. Therefore, we can ignore the existence of two modes for the plain 
PE and let it transmit Xi regardless t. Hence, we do not need a control signal 
T in the plain PEs; r should be used only in the rightmost PE where it defines 
whether an input data Xi is to be used or ignored. Nevertheless, we need a control 
signal cr to ensure the correct initial assignments to Xi’s depending on whether M- 
multiplication or M-squaring should be carried out: Xout '■= niux(CTi„ : Xm, Sin)- 

Original input data bi’s are to be stored in the local memories of PEs for 
future M-multiplications. We use a special register for this purpose. As 

above, a control signal a is used to provide the correct initial assignments to 
variables bi’s depending on whether PEs are supposed to perform multiplication 
or squaring: := mux(ai„ : 

A computational part of the main PE includes control over input data, two 
logic multiplications, Um ■ bin and Um ■ min, and addition of these products with 
an intermediate sum stn and input carries. Evidently, four-element addition can 
generate two carries meaning that all main PEs will have two input carries, and 
produce two output carries; the first carry is to be used by the nearest 

neighbor PE, and the second carry is to be used by the PE followed after 




172 



A. Tiountchik and E. Trichina 



the nearest neighbor: 

^out ‘^^out ^^out ~ ‘ “t” ‘^in * “t” “t” ^in ^in 

We shall denote the carry that is just a transit from the right neighbor to the 
left one by hence := . It is not uncommon to implement 

addition of 5 entries using two full adders and one half adder, which can be 
found in a standard library XC6000 provided by EXACTStepBOOO, with the 
“communication” part surrounding this module. However, if the outputs of some 
gates are to be stored in registers, these gates and registers should not be at 
different hierarchical levels, because normally a gate-register pair may occupy 
only one cell but if the gate is embedded in a module, while the register is outside 
of this module they inevitably will be placed in different cells, and often rather 
far apart. Thus, if registers are to be used to store output data of a module, it 
is desirable to insert these registers inside the module. Fig.Q presents the final 
design for a plain PE. 

3.3 Logic Design for the Rightmost PE 

The rightmost PE selects correct values for its b- and a-inputs, depending 
on control signals a and r, propagates data and signals to the left neighbor, 
computes value u and the sum -bin + u- rriin + Sin- For consistency, two zero 
carries should also be generated. Below we give a description of the rightmost 
PE, including the specification of data and control signals transmissions: 
a'„ = mux(r : Xin,ain); 

= mux(cr„ : bin, s^n); 

^in (.^in ' ^in ® ^in} * 

^out ^^out — ^in ' ^in ^in * '^in Sin, 

Uout = Uin', Clout = Clin', ~ ^"oul^ ~ O' 

The main computational module of the rightmost PE after the optimisation and 
its structure as a whole are depicted in Fig.0 and Fig.0, respectively. 

4 XACTStep 6000 Automatic Design and Its Optimisation 

A high level of correspondence between the requirements of bit-level systolic 
arrays and FPGA designs provide an opportunity to implement a modular ex- 
ponentiation algorithm on Xilinx XC6000 chips ensuring a very dense allocation 
of gates. 

An ultimate design goal in our experiment was to find an absolute limit of 
the number of bits in Montgomery exponentiation, that can be handled by one 
64 X 64 XC6000 chip without storing intermediate data in SRAM and without 
reprogramming the chip. By trial and error we found that automatic allocation 
provides successful routing for systolic arrays with a maximum of 67 PEs (1 
starred, and 66 plain). Obviously, this is far from the limit. We decided to 
use it as a starting point for manual optimisation. Remote gates and registers 
were brought closer together so as to provide locality of interconnections and 
higher density of the overall design. For manual allocation of gates at the level 
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of ViewLogic design, the RLOC (relative location) attribute has to be used. The 
attribute determines the coordinates of a gate inside its module. 

To embed a long and narrow one-dimensional array of PEs constituting a 
systolic design into a XC6000 64 x 64 square of logic cells, a natural solution 
is to partition this array into blocks of PEs with respect to the width of the 
chip, so that every block can be allocated in a side-to-side line on a chip; and 
then combine these blocks in a ’’zig-zag” snake-like structure. The length of the 
block is determined empirically, and better to be estimated conservatively, so as 
to allow for some extra space to permit successful routing in the corners. In our 
case one block constitutes 13 PEs. It should be noted that an allocation of PEs 
inside the block must be manual since we want a long narrow band of the gates 
while an automatic allocation is trying to provide a square-like allocation. 

To eliminate irregularity and criscross connections between PEs in every 
second block of the zig-zag, we had to design a mirror image for a block by 
reflecting the block itself. Every PE inside the reflected block has to be a mirror 
image under reflection of a regular PE with the same functionality; and two 
additional types of mirror images under rotation were used for the leftmost and 
the rightmost PEs in a block to ensure locality of logic connections where the 
“snake” turns. All this allows us to allocate 132 PEs successfully on XC6000 
64 X 64 logic cells. In other words, we can exponentiate a 132-bit long integer 
on one Xilinx XC6000 chip. An allocation of 132 PEs on a chip and successful 
routing is presented in Fig. Q 



5 Summary 

We presented a new implementation of a modular exponentiation algorithm 
based on a Montgomery multiplication operation on fine-grained FPGAs. With 
hand-crafted optimisation we managed to embed a modular exponentiation of 
132-bit long integers into one Xilinx XC6000 chip, which is to our knowledge one 
of the best fine-grained FPGA designs for a modular exponentiation reported 
so far. 2,615 out of 4,096 gates are used for computations, and 528 for registers, 
providing 75% density. This array can be used for both, reducing R to S by (0 
and for reducing a final value i?" to by ®. 

Hence, 4 Kgates (one XG6000 chip) is required for modular exponentiation 
of 132-bit long integers. 512-bit long integers need 4 XG6000 chips connected 
in a pipeline fashion, or 16 Kgates. Taking into account the total running time 
(see Ghapter 2), we can estimate the bit rate for a clock frequency of 25 MHz 
being approximately 800 Kb/sec for 512 bit keys, which is comparable with the 
rate reported in a fundamental paper of Shand and Vuillemin na, and an order 
of magnitude better than that one in [0 and M Further improvement of 
the proposed implementation can be achieved by simplification of the operation 
performed by the starred vertices to an ordinary (non-starred vertex) operation 
due to shifting B up to make bo — 0 0. The reduction of complexity of starred 
vertices decreases an overall time and provides higher clock rate. 
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Fig. 6. Main computational block of starred PE. 



Fig. 7. Allocation and successful routing for 132 PEs. 
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Abstract. The ways the threshold parameter can be modified after the 
setup of a secret sharing scheme is the main theme of this work. The 
considerations are limited to the case when there are no secure channels. 
First we motivate the problem and discuss methods of threshold change 
when the dealer is still active and can use broadcasting to implement 
the change required. Next we study the case when participants themsel- 
ves initiate the change of threshold without the dealer’s help. A general 
model for threshold changeable secret sharing is developed and two con- 
structions are given. The first generic construction allows the design of 
a threshold changeable secret sharing scheme which can be implemented 
using the Shamir approach. The second construction is geometrical in 
nature and is optimal in terms of the size of shares. The work is conclu- 
ded by showing that any threshold scheme can be given some degree of 
threshold change capability. 

Keywords: Secret Sharing, Threshold Changeable Secret Sharing, Sha- 
mir Secret Sharing, Geometrical Secret Sharing. 



1 Introduction 

A (<, n)-threshold scheme is a method of splitting a secret piece of information 
among n participants in such a way that any t of the participants can together 
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recover the secret. They do this by pooling together their shares^ which are secret 
values securely transmitted to them by a dealer on initialisation of the threshold 
scheme. Threshold schemes are special examples of seeret sharing schemes, 

which allow more general combinations of participants to collectively engage in 
recovery of the secret ca. Secret sharing schemes, and in particular threshold 
schemes, have become an indispensable basic cryptographic tool in any security 
environment where active entities are groups rather than individuals |0. The 
group of participants involved in a threshold scheme is not necessarily static over 
time. The number of participants and the threshold parameter may fluctuate re- 
flecting the current structure of the organisation to whom the participants belong 
and the sensitivity of the secret. New participants may enter an organisation and 
need to be incorporated into the security structure {enrolment). Current parti- 
cipants may leave the organisation, their shares may become compromised, or 
their access to the secret may be withdrawn for security reasons {dis enrolment) . 
A high threshold parameter established on initialisation due to a high degree of 
mutual distrust among the participants may be relaxed as the participants mu- 
tual trust grows over time {threshold decrease). Alternatively mutual trust may 
decrease over time, perhaps due to organisational problems or security incidents, 
and hence the threshold parameters may require tightening {threshold increase). 
The longer the lifetime of a secret, the greater the chances that any of these alte- 
rations to the security policy in place on scheme initialisation are to occur, and 
hence the greater the likelihood that the threshold parameters may need to be 
changed. Such a need is related, but quite distinct, to the notion of proactivity 
| L()| . where shares are refreshed at regular time intervals for security reasons, 
but where the threshold parameters do not change after each share refreshment. 
This motivates our interest in considering the problem of how to change the 
parameters of a {t, n)-threshold scheme after it has been initialised. In other 
words, how to obtain a (t', n')-threshold scheme from a (t, n)-threshold scheme. 
We assume that the secret is not reconstructed by the participants before the 
change of parameter. An obvious method of conducting such a change is for the 
dealer to issue new shares to all the participants in the new threshold scheme. 
This is an inefficient, and often impractical, solution as it involves the use of a 
secure communications from the dealer to each participant which may not be 
possible at the time the change of threshold is required. A possible method of 
enabling a change in the parameters of a threshold scheme is to conduct a secret 
redistribution. This technique was investigated for general secret sharing schemes 
in PH. A redistribution of the secret is conducted by the participants of the 
original scheme, and involves them communicating information among themsel- 
ves, and among any new participants in the new scheme. Secret redistributions 
have two notable advantages in that they do not involve the dealer and that they 
can be conducted without any prior knowledge that a change of threshold para- 
meters is required. However in general a redistribution requires the existence of 
secure communication links between the threshold scheme participants, which 
may be impossible or undesirable in many applications. In this paper we inve- 
stigate how to change the parameters of a threshold scheme in the absence of 
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either a secure link from the dealer to participants, or secure links between par- 
ticipants themselves. We restrict our attention to the cases of threshold increase 
and threshold decrease. Disenrolment in the absence of secure links has already 
been subject to investigation PP]. It does not seem likely that enrolment is 
possible in the absence of any secure links (unless enrolling participants have 
already been issued with some advance information and have been operating as 
“sleeping” participants, which arguably does not count as fresh enrolment). In 
the following discussion we note that procedures for changing threshold can be 
classified by the amount of preparation for change that is made on the initiali- 
sation of the original threshold scheme. We will consider cases where the exact 
change of threshold parameter is known on initialisation, where only knowledge 
that a change (but not which change) is known on initialisation, and where no 
advance preparation for change is made. The new threshold will be agreed upon 
by sending messages over public channels. We distinguish two cases: the case 
that the original dealer is still active and the case that the original dealer is 
no longer in existence and shareholders decide on the new threshold themsel- 
ves. We assume that after such an agreement shareholders will behave honestly 
with respect to their agreed threshold and submit correct shares in reconstruc- 
tion phase. A good example of a situation that change of threshold under the 
above conditions is required is when communication channels of t shareholders 
in a (t, n) threshold scheme are tapped by an enemy and hence an attempt to 
reconstruct the secret will enable the enemy to find the secret. By raising thres- 
hold to t' > t, the enemy will remain completely uncertain about the value of 
the secret. A second example is for distributing authority among a group of n 
participants and requiring two levels of collaboration, t and t' , for two levels of 
security. This kind of multilevel security may also be seen as an option given to 
participants so that for more sensitive decisions a higher degree of agreement 
could be used. We also note that in some cases it may be desirable for the value 
of the secret to change when the threshold parameter changes. In general this is 
simply a matter of choice for threshold decrease. For threshold increase howe- 
ver, after the change of parameters certain sets that could previously access the 
secret may no longer be desired to. The paper is organised as follows. In Section 
2, threshold schemes are introduced. Section 3 discusses general techniques for 
changing threshold by dealer broadcast. Section 4 introduces the model, derives 
bounds and proposes constructions for changing threshold without dealer assi- 
stance. Section 5 includes ideas on how an arbitrary threshold scheme can be 
made threshold changeable and Section 6 concludes the paper. 

2 Threshold Schemes 

Let V = {Pi, . . . , Pn} be a group of n participants. Let S be the set of secrets 
and let the share of Pi come from set Si. A (t, n)-threshold scheme is a pair of 
algorithms: the dealer and the combiner. For a given secret from S and some 
random string from 7?., the dealer algorithm applies the mapping 



T>t^n '■ S X R ^ Si X . . . X Sn 
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to assign shares to participants from V . The shares of a subset ^ C 7^ of parti- 
cipants can be input into the combiner algorithm 

Ct,n : U {^z} ^ 

Pie A 

which will return the secret if the set A Q V and |.4| > t, otherwise it fails. 
Each instance of the threshold scheme (pair (s,r), s £ S, r £ R) thus indexes 
a distribution rule and threshold scheme can be combinatorially represented by 
a matrix whose rows form the distribution rules, and columns are indexed by 
the secret and the participants. If we associate a probability with each s £ S 
then a threshold scheme can also be described information theoretically using 
the entropy function m- More precisely, if \A\ > t then H{S\A) = 0, and if 
\A\ < t then H{S\A) yf 0. A threshold scheme is perfect if H{S\A) = H{S) for 
any |M| < t (in other words groups of less than t participants learn no more 
information about the secret than is publicly known) . Perfect threshold schemes 
with H{Si) = H(S) for all i = 1, ... ,n are said to be ideal. In general it can 
be assumed that in an ideal threshold scheme Si = S for each i = 1, . . . ,n. A 
consequence of the definition of a perfect threshold scheme is that the the size 
of shares is at least the size of the of the secret, that is H{Si) > H{S) jS]. If 
we reduce share size below that of the secret then it necessarily follows that the 
perfect property must be sacrificed. An example of threshold scheme that are not 
perfect are the so called ramp schemes PE] which offer a compromise between 
security and share size. A (c, t,n)-ramp scheme is a (f, n)-threshold scheme such 
that: 

1. If A C P and \A\ > t, then H{S\A) = 0; 

2. If A C 7^ and c < |A| < t, then 0 < H{S\A) < H{S); 

3. If A C 7^ and \A\ < c, then H{S\A) = H{S). 

In El a (c, t,n)-ramp scheme with the property that H{Si) = H{S)/{t — c) for 

each i = 1, . . . ,n is shown to be optimal (where an optimal ramp scheme is a 
ramp scheme where H{S\A) = {{k — r) / {k — c))H{S) for |A| = r, c < r < t, and 
shares are of minimal size). Such schemes have nice properties and are easily 
constructed (see El for details). 

3 Changing Threshold by Dealer Broadcast 

In this section we assume that the original dealer of the threshold scheme is still 
active, but no longer able to use the secure links that were used to initiate the 
scheme. All messages from the dealer must thus take the form of broadcasts, 
where we assume that a broadcast message is an insecure communication that 
can be read by all participants and any outsiders to the scheme. There are two 
general techniques that can be used to change threshold by means of a broadcast 
message. 
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1. Advance key teehnique. The dealer gives each participant a secret key as well 
as their share on initialisation. When the time comes to change threshold 
parameters, the dealer broadcasts new shares of the new threshold scheme, 
but encrypted under the secret keys issued to each participant. Uncondi- 
tional security can be maintained by using a one-time pad to encrypt the 
information on this insecure channel. 

2. Advance share technique. The dealer gives each participant shares in two 
different threshold schemes on initialisation. When the time comes to change 
threshold parameters, the dealer broadcasts specific shares of the second 
scheme that have the effect of changing the threshold parameters as required 
(see below). 

The advance key technique would appear to be a somewhat trivial solution 
to the problem of changing thresholds by dealer broadcast. It does however 
suffer from the disadvantage that the size of the broadcast message is directly 
proportional to the number of participants in the scheme. The advance share 
technique can be used to reduce the broadcast size. A general example of the 
advanced share technique can be derived from techniques in In this case, 

as well as their initial share in a (f, n)-scheme, on initialisation each participant is 
given a share in an (n-l-1, 2n)-scheme, which is defined on the n real participants, 
and n imaginary (dummy) participants. To realise a (t',n) scheme the dealer 
broadcasts n — t' + 1 shares of the (n -I- l,2n)-scheme belonging to n — t' -|- 1 
dummy participants. The resulting scheme is an (n+ 1, 2n)-scheme, contracted 
at n — t' -I- 1 participants: that is a (t',n + t' — l)-scheme. However, t' — 1 of 
the shareholders are dummy participants and so the effective scheme is a (t' , n)- 
scheme. The following comments apply to the two general techniques: 

1. Both general techniques can be used when it is known on initialisation that 
a change of the threshold parameters may be needed, but not exactly what 
change will be necessary. 

2. If the value of the secret changes when the threshold changes (i.e. the shares 
of the (n + l,2n)-scheme correspond to a different secret than the original 
shares) then both threshold increase and decrease are possible using these 
techniques. If the value of the secret stays the same then in the case of 
threshold increase, participants must be trusted to move onto the new shares 
and not use their original ones (see comments in Section 1). 

We can refine the advance share technique for threshold decrease if it is known 
on initialisation exactly what change in threshold parameter may be required. 
Let t' < t. . Let m = max(n,n') -k (t — t'). On initialisation, the dealer issues 
shares of a (t,n + t — t') -scheme to the n participants. The remaining t — t' shares 
correspond to dummy participants and hence the resulting scheme is a (t, n)- 
scheme. To change this to a (t' , n)-scheme the dealer broadcasts the t — t' shares 
belonging to dummy participants. The resulting scheme is a (t, n-|-t — tO“®cheme, 
contracted at t — t' participants: that is, a (t', n)-scheme. The advantages of this 
refinement are that it is no longer necessary to issue an extra share in advance to 
each participant, and the broadcast message will usually be much shorter than 
for the general techniques. 
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4 Changing Threshold without Dealer Assistance 

For the rest of this paper we assume that the dealer is no longer able to provide 
assistance in changing the threshold parameter. In the absence of both an active 
dealer and any secure channels between participants it is clear that participants 
can only use the information sent to them on initialisation of the original scheme. 
Hence the original “shares” must contain the information necessary for deriving 
both the shares of the initial (f,n)-scheme and the shares of the future 
scheme (we refer to these two derived shares as subshares). Such a system is 
therefore restricted in its application to situations where participants are trusted 
to operate “honestly” in the sense that during a reconstruction of the secret they 
only use the subshare that is relevant to the threshold in current use (see Section 
1). A number of trivial solutions to this problem exist. If it is known in advance 
exactly what threshold change will be required then the initial share given to 
each participant could consist of one subshare corresponding to a share in the 
original (t, n)-scheme, and a second subshare that consists of a share in the later 
(t' , n)-scheme. In this naive construction the required storage for each participant 
is 2H{S) (assuming the two systems are ideal). In general the size of the stored 
shares for each participant grows linearly with the number of required threshold 
which makes this method very inefficient. Another possible solution is to use 
the broadcast techniques of Section 2 and rely on a publicly accessible directory 
containing transcripts of the relevant broadcast messages for certain types of 
threshold change. Since participants are required to behave with a degree of 
honesty then they can be trusted to read the relevant broadcast message at 
the appropriate time. These solutions do also generally involve more than one 
subshare being stored securely. We are thus interested in solutions that minimise 
the amount of information that each participant must store in order to derive 
both a {t, n) and (t', n)-scheme. The approach we will take is to construct (t, n)- 
schemes that can be changed into (t', n)-schemes through manipulation of the 
original shares. We will assume that t' > t (threshold increase) and note that the 
schemes proposed could also be used for threshold decrease. For such schemes at 
least some advance knowledge of the future threshold change should be known on 
initialisation, since the schemes are designed to permit change. Later we consider 
some options for the much more difficult task of achieving some degree of change 
to an arbitrary threshold scheme (with no inbuilt mechanism in place to allow 
threshold change). 



4.1 A Model for Threshold Change without Dealer Assistance 

In this section we consider a basic model for schemes that permit threshold 
change without dealer assistance. We also discuss possible efficiency measures 
and then provide some constructions for such systems. 

Definition 1. A perfect ft, n) -threshold secret sharing with a dealer algorithm 

Vt^n '■ S X R ^ Si X ■ ■ ■ X Sn 
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is called threshold changeable to t' if there exist publicly known functions hi : 
Si ^ Ti = hi{Si), for I < i < n, such that H{S\Tj\f) = 0 for any \A\ > t' , and 
H{S\T^) < H{S) for any |Al| < t' where A C {1, . . . , n}. 

^From this definition, if we combine the dealer algorithm T>t^n with the functions 
hi, we obtain the function 



V' : S X R ^ Ti X ■■■ X T„ 



defined hy V = {hi x ■ ■ ■ x hn)T>t,n- It has the obvious properties 



H{S\T^) = 



0 if |Al| > t'; 
H{S) if 1^1 < t, 



for any „4 C {1, . . . , n}. Thus we may regard 2?' as a new dealer algorithm for 
a secret sharing scheme with n participants. In this model the subshare used in 
the (t, n)-threshold scheme consists of the entire original share, and the subshare 
used in the (t', n)-threshold scheme is determined by the functions hi. 



4.2 Efficiency Measures 

We denote the (f, n)-threshold scheme by 27 and the (7, n)-threshold scheme by 
27'. The following lemma is fairly obvious. 

Lemma 1. Let 27 he an ideal {t,n) -threshold scheme threshold changeable to 
t' > t. Then the resulting {f ,n) -threshold scheme 27' is not perfect. 

Proof. By contradiction. Assume that the scheme 27' is ideal and perfect and any 
t' shares determine the secret. Thus H{Ti) = H {Si) = 27(5'). As the function h is 
deterministic we know that H{Ti\Si) = 0. Since I{Si\ R) = H{Si) — H{Si\Ti) = 
H{Ti) - H{T,\Si), H{Ti) = H{Si) and H{T,\Si) = 0, then H{S,\Ti) = 0. This 
means that there is a one-to-one correspondence between shares from 27 and II' . 
This also says that the threshold of 27' must be t' which gives us our requested 
contradiction. 

The efficiency of a perfect {t, n)-threshold scheme that is threshold changeable 
to t' can be measured by 

1. the maximum and average size of the share which needs to be stored, given 
by H{Si), for 1 < 2 < n, 

2. the amount of information which needs to be delivered to the combiner at the 
pooling time expressed by X)ie.4 H{Ti) for A C {1, . . . , n} where |A| = t' , 

3. the size of subshares to be sent to the combiner, given by H{Ti), for 1 < 2 < 
n. 

Theorem 1. Let II he a perfect {t,n) -threshold scheme that is threshold chan- 
geable to t' using functions H = {7i}i<i<„. Then 



1. H{Si) > TI{S) for 1 < i < n; 

^ {!,..., n} with \A\ = t' ; 
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3. maxi<,<„{if(T,)} > 

Proof. Part 1. follows by definition of perfect threshold scheme. We next prove 
part 3. Assume that A is a, t' subset of {1, . . . , n} and is a subset of A such 
that \B\ = t-l.We have I{S-,T(^a\b)\Tb) = H(S\Tb) - Tg) = 

H{S\Ti 3 )-H{S\Ta) = H{S\Tb) = H{S). On the other hand, H{S-T(^a\b)\Tb) = 
HmA\B)\TB)-H{T(^A\B)\TB,S) < H{T^a\B) < |A\S|max{i?(r,; t e A\B}) = 
{f — t+ 1) max{H{Ti; i G A \ B}, proving part 3. To see part 2., let Ahe a t' 
subset of {1, . . . , n}. For any subset B oi A with \B\ = t — 1, from proving part 2. 
we know that Y^i^A\B^^^i) — ^ t>e the collection of all (t— l)-subset 

of A. We show that 

ieA Be:Fi^A\B 

Indeed, for each i G A, we denote Ti = {B G T\i ^ B}. Then in the above 
equation H{Ti) appears |Fj| = (\Zi) times in the right-hand side for each 1 < 
i < n, and so the equation follows. We then have 

^ ' ieA BeTieA\B ^ ' 

and obtain ^ 

It is worth noting that item 2 shows that it is possible that the amount of 
information which needs to be delivered to the combiner at the pooling time 
is less than the original scheme (tH{S)) but of course the latter scheme is not 
perfect. 

Definition 2. A perfect (t,n) -threshold scheme U that is threshold changeable 
to t' is called optimal if the bounds in Theorem^ are met with equality. 

Corollary 1. If a perfect (t,n) -threshold scheme II that is threshold changeable 
to t' is optimal then U is ideal and II' is a (t — l,t',n) optimal ramp scheme. 

Proof. By definition II is ideal and 77' is a (t — ramp scheme. ^From 

Theorem ni (Part 2.) it follows that H(Ti) = A\ 1 < i < n, and 

hence that the ramp scheme is optimal (see Section 2). 

4.3 A General Construction from a Ramp Scheme 

As noted earlier a naive (and very inefficient) method of allowing shareholders 
to choose among a number of thresholds is to give them independent subshares 
for each scheme. In this section we describe a much more efficient method of 
constructing a threshold scheme which can have a number of possible thresholds 
and has the property that original scheme is ideal. We give a general construction 
and then give the detail of an implementation based on Shamir polynomial 
scheme. 



t' - 1 
t- 1 
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Theorem 2. If there exists an optimal {(t—l)v,tv,nv)-ramp scheme, then there 
exists a (t, n) threshold scheme that is threshold changeable to k for any integer 
k such that k\vt. 

Proof. Let A be an optimal ((t — l)v,tv,nv) ramp scheme. We can construct 
a {t, n) ideal threshold scheme II from A as follows. As their initial share, give 
each participant in II v different shares in A (we call these component shares. 
Since A is optimal, it is easy to verify that II is a, ft, n) ideal threshold scheme. 
We further define the conversion % — by letting the subshare of the 

(fc, n)-scheme be formed by taking any vt/k component shares from the share of 
participant Pi (who has v component shares) for each 1 < f < n. It is clear that 
k of these subshares will now be necessary to reconstruct the secret. 

Let u denote the number of integer k such that k\vt. The reduction in the size 
of storage for each shareholder compared to the naive method is fa — 1)H{S). 
A conceptually useful way of constructing ramp schemes suitable for use in 
Theorem E]is to recall that by Theorem 9 |0, we know that if there exists a 
ftv, nv+v—1) ideal threshold scheme then there exists an optimal ((t— 1)?;, tv, nv) 
ramp scheme. A simple construction method is thus to start with a Shamir 
threshold scheme interpreted as a ramp scheme. Assume that S = GF{qY 
is the set of shares and secrets. 

Construction 

1. Let q > nv. To share a secret s = (si, . . . , s„) G GF{qY The dealer randomly 
chooses a polynomial F{x) of degree at most tv — 1 such that F{x) satisfies 

(F(l),...,F(fy) = (si,...,s„). 

More precisely, F{x) can be chosen in the following way. First select at 
random a vector (s„+i, . . . , St„) G GF{qY*~^'>'" and then use the Lagrange 
interpolation to compute the unique polynomial F{x) of degree at most tv—1 
satisfying (F(l), . . . , F{tv)) = (si, . . . , stv). Notice that the randomness of 
(s„+i, . . . , Stv) results in the randomness of F(x). 

2. The dealer choose nv distinct numbers xi, . . . , Xnv in GF{q) \ 

Each participant Pi is assigned a subset Ai C {a:i, . . . ,Xnv} of v elements. 
Ai are public and unique for the participant Pi. Let Ai — 

The share of Pi is Si = F{Ai) = (E(xiJ, . . . , F{xiY) 

3. At the pooling time, any t out of n participants can use the Lagrange 
interpolation to compute the polynomial F{x) and so recover the secret 
{F{l),...,F{v)). 

The following comments apply to the above construction (and any other con- 
struction obtained using Theorem EJ: 

— Initially the scheme is clearly a ft, n)-threshold scheme. Any t—1 participants 
have no information about which of the q" candidates for the secret has been 
selected. 

— Any k participants, each submitting (vt/k) parts of their share can recon- 
struct the secret. 
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— Any fc — 1 participants A, each submitting (vt/k) parts of their share are left 
with H{S\A) = {t/k)H{S), by definition of the ramp scheme. 

— With respect to the bounds in Theorem Q, we have H{Si) = H{S), but 
H{Ti) = (t/k)H{S). Thus such schemes will only be optimal in the degene- 
rate case that t = 1. 

— Each shareholder has vlogq secret bits which is the same as the secret size. 

4.4 An Optimal Geometrical Construction 

The previous construction is conceptually simple and easy to implement. It is not 
however optimal. We now give an example of an optimal perfect (t, n)-threshold 
scheme that is threshold changeable to t' . This construction is described in terms 
of projective geometry, a technique first used for secret sharing schemes in m- 
For background information on projective geometry, see m 



Fig. 1. An optimal (2, 7)-scheme that is threshold changeable to 3 



First note that (l,3,n)-ramp scheme can be constructed in finite projective 
space as follows. 

1. Let 7T be a publicly known plane and let each line contained in II represent 
a possible secret. 

2. Pick another plane ill that meets II in a line £. 

3. Pick n points on ill, but not on C, such that no three of the points are 
collinear. Give one point to each participant as their share of the secret. 



Ml 
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Any three shares consist of three non-collinear points, and thus knowledge of 
three shares is enough to generate the plane III. Plane 771 can then be in- 
tersected with the public plane 77 to recover the secret line C. Any two shares 
X1,Y1 consist of two points which define a line (Al,yi). This line meets £ 
in a unique point PI. Since it takes knowledge of two points on £ to define £, 
it follows that knowing two shares only reveals “half” of £. Finally, any one 
share consists of one point not on £, the span of which is naturally just that 
point and thus defines no points on £. Hence knowledge of one share reveals 
nothing about the secret line £. To see that such a configuration results in a 
set of mappings that fits the definition of ramp scheme in Section 2, see grg. 
Essentially there is one mapping for each plane 771 that meets plane 77 in a line. 
Each secret line is represented by two points that generate that line. In each 
mapping, the share of a participant is one point, and the secret is two points, 
and hence H{Si) = H{S)/2. In other words, the ramp scheme is optimal. We 
now extend this idea to construct an optimal perfect (2, n)-threshold scheme 
that is threshold changeable to 3. 

1. Construct an optimal (l,3,n)-ramp scheme on planes 77 and 771 as before. 

2. Pick another plane 772, distinct from 77 and 771, that meets 771 (and 77) in 
line £. 

3. Construct an optimal (l,3,n)-ramp scheme on plane 772. Each shareholder 
now holds a share that consists of two points, one on 771 and one on 772. 
The points of this second scheme must be allocated to shareholders in such 
a way that for any pair of shareholders, the unique point on £ generated 
by their two points on 771 is distinct from the unique point on £ defined 
by their two points on 772. Such an allocation of shares to shareholders is 
always possible (see closing remark in this section). 

The resulting configuration is illustrated in Figure Cl Note that 77 is not illu- 
strated. In Figure ni the share of participant X consists of points XI and X2 
(equivalently, line (XI, X2)), and the share of participant Y consists of points 
Y1 and Y2 (line (Y1,Y2)). 

— Initially, shareholders use both their points to reconstruct the secret. Thus 
if shareholders X and Y try to reconstruct the secret then they can each 
use their point in each of the planes to generate the lines (Al,yi) and 
(X2, Y2), which meet 77 in points PI and P2 respectively. Since PI and P2 
are distinct, the two shareholders use these points to generate the secret £. 
Further, each of the lines (XI, X2) and (Y1,Y2) are skew to £ and hence one 
shareholder can not generate any points of £. Thus the initial configuration 
can be used to generate a perfect (2, n)-threshold scheme. 

— If shareholders just use their points on plane 771 then the result is the confi- 
guration of a (1, 3, n)-ramp scheme, as described previously. Hence any three 
participants can generate the secret, any two learn “one half” of the secret, 
and one shareholder learns nothing about the secret. 

— The conversion of such a configuration into a scheme satisfying Definition 1 
is identical to the conversion process described in |8I1 yI| for geometric secret 
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sharing. The function hi is simply the function that extracts the point on 
ill from the pair of points allocated to the ith shareholder. 

— The secret is represented by a line (two points). Each shareholder has a 
share consisting of two points. If the threshold is changed to three, then 
each shareholder only submits one point, exactly one half of their share. 
Thus with respect to the bounds in Theoremni we have H{Si) = H{S), and 
H(Ti) = H{S)/2. The scheme is thus optimal. 

The above scheme generalises to a configuration for an optimal perfect (t, n)- 
threshold scheme that is threshold changeable to t' as follows: 

1. Replace each plane ii by a space of projective dimension t' — 1. 

2. Take t' — t+ 1 of these spaces (instead of just two in Figui|^l) such that all 
the spaces II j meet in a subspace C of projective dimension {t' — t). 

3. On each space II j choose n points such that no t' points lie together in a 
subspace of projective dimension {t' — 2). This defines a (t — l,t',n)-ramp 
scheme on II j. When the threshold is increased to t' , shareholders will submit 
only their points on space III. 

4. Any t points on any II j define a subspace of projective dimension t — 1 that 
meets £ in a point. By labelling the points on the spaces II j carefully (see 
below) we ensure that the t' — t + 1 points on £ defined by any t shareholders 
(one point on £ for each space II j) are all distinct, and hence together define 
£. Thus the original scheme is a (t, n)-threshold scheme. 

5. Each subshare is one point, the secret (and each share) is defined by t' — t+1 
points, and hence the scheme is optimal. 

It remains to describe how to allocate the points on each space to shareholders 
in order to ensure the “distinctness” property described above. A summary of 
how this is done is as follows: 

1. Let ^ be a Singer cycle on £ (^ permutes the points of £ in a cycle whose 
length is the number of points on £). 

2. Extend ^ to an automorphism of 7T1. 

3. Let the points on 7T2 be a projection of the points on 771. If shareholder 
i received point Xi on III then give shareholder i the projection of point 
(j){Xi) on 772. 

4. More generally, let the points on II {j + 1) be a projection of the points on 
771. If shareholder i received point Xi on III then give shareholder i the 
projection of point (j+{Xi) on 77j. 

The linearity relationships between the points on 771 are preserved by the auto- 
morphism (j) and so the resulting configuration on 112 has the same properties 
as that on 771. Further, as </> restricted to £ is we are guaranteed that the 
there are no points on £ fixed by (j>. Hence (considering the simple example) 
if points XI, Y1 generate point Z1 on £, then points (p{Xl),cj){Yl) generate 
line ^(2^1) on £, with ^(.^1) distinct from Zl. A similar argument applies to 
the other spaces II j since (j+ is also an automorphism of III that fixes £. It 
is interesting to note that the optimal geometrical construction can be used to 
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reduce the amount of information which needs to be delivered to the combiner 
if we allow the threshold of participants who submit their (partial) shares to be 
increased. For example, in our optimal (2, n) threshold changeable scheme, if two 
participants want to reconstruct the secret, they have to send their full shares 
(two points for each) to the combiner and the total amount of information is 
2H{S). If three participants send their partial shares (one point for each), they 
can still recover the secret, but the total information delivered to the combiner 
is reduced to 1.5H{S). 

5 Changing Threshold of an Arbitrary Threshold Scheme 

We close by considering the problem of changing the threshold parameter of 
an arbitrary (t, n) threshold scheme, without dealer assistance or secure links. 
Thus we cannot guarantee that subshares can be deterministically derived from 
the original shares, as in the previous section. In reality this problem seems 
very difficult to solve with any degree of satisfaction, however we suggest two 
possible methods which could be further developed in a search for a solution. 
Both techniques involve releasing information about shares, instead of shares 
themselves. 



5.1 Changing Thresholds via Probabilistic Shares 

Instead of submitting shares to a combiner, this first idea is that participant 
give away some “hints” about their shares. This hint specifies a subset of values 
to which the share belongs (specification of particular bits, for example). Thus 
the information provided by Pi about the share Si takes the form of a set Bi 
such that Si G Bi. One approach to reconstruction is as follows. When trying 
to reconstruct the secret, each Pi submits their set (hint) Bi {i = to 

the combiner. The combiner groups the sets into collections of size t, and from 
each such collection derives the set of all possible secrets corresponding to all 
the possible share allocations using these share hints. Using the following hints, 
and the corresponding possible secret sets S^, 

Bi,...,Bt-i,Bt^ 

Bi,...,Bt-i,Bi^ 

the combiner can then precisely recover the secret if [S'* fl fl . . . fl S'^l = 1. It 
is however clear that such a solution cannot guarantee the precise new value of 
the threshold. An open problem is thus to determine methods of selecting hints 
in order to be able to specify within a certain probability that the secret can be 
reconstructed uniquely. 
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5.2 Combiner Assisted Threshold Change 

To avoid the uncertainty of the probabilistic method it is necessary to find a 
deterministic analogue of the probabilistic sharing idea. This may be possible if 
information about shares in a threshold scheme can be deterministically released 
in some manner. An idea is to negotiate a common encoding for delivery of 
information about participants’ shares. The following provides an illustration of 
how this might work. Assume the original scheme is a (t, n) Shamir scheme based 
on polynomial f{x) over GF(( 7 ) of degree at most t— 1. As usual a participant Pi; 
i = 1, . . . , n is assigned a public co-ordinate Xi and a share Si = f{xi). The secret 
is s = /(O). It is well-known that any t participants can collectively recover the 
secret as they can write t linearly independent equations and solve them. Let 
these t participants be P\, . . . , Pt, then they (or the combiner) can write 

Si = /(xi) = oo -I- aixi -I- ... -I- at-ix\~^ 



•St — f{^t) — Qq + o,iXt -I- ... -I- at-\x\ ^ 

Let the combiner impose the encoding scheme such that every integer ct G GF{q) 
is represented as a vector of k co-ordinates so 

Ci — kCi^\ -\- b Ci^2 b Ci^k — \ — ■ ■ ■ 7 

where b is the base (for binary representation 6 = 2). We assume that the 
representation is one to one. Note that if we encode Si and Uj; j = 1, . . . ,t — 1 
then from the equation 

Si = f{xi) = ao + oiXj -I- ... -I- at-ix\~^ 

we get a system of k independent and equivalent equations related to the corre- 
sponding co-ordinates. Now the combiner can ask participant Pi to use the base 
6 to determine the required representation of their share. If the new threshold 
is t' {f > t), the combiner requests a subshares Sij; j = such that 

t' X a = t X k, and the system of linear equations has a unique solution for 
vectors Ui = {ui^, . . . , Ui^k-i)- The combiner must get t x k linear equations and 
all t X k unknowns aij (i = 0, . . . ,t— 1 and j = 0, . . . , fc — 1) must be “covered” . 
The role of the combiner is to ask the participants for “right” subshares so the 
combiner can cover all unknowns. The presented method can be applied in all 
linear secret sharing schemes. The encoding may be based on any vector space. 

6 Conclusions 

In this paper we considered the problem of changing threshold when there is 
no secure channel to be used for the purpose of threshold change. One of the 
main motivation for this study was to provide robustness in a system where 
communication channels to the combiner have been tapped. We gave a number 
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of constructions of threshold changeable schemes, including one that is opti- 
mal with respect to storage and communication costs. We made some initial 
remarks on the interesting problem of enabling the threshold of an arbitrary 
threshold scheme to be changed. Finding efficient and practical solutions to this 
latter problem remains open. We acknowledge useful discussions with Christine 
O’Keefe and Peter Wild concerning the design and correctness of the geometric 
construction. 
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Abstract. In a (t, n) group-oriented cryptosystem, collaboration of at 
least t participants is required to perform the group transformation. Two 
important issues in implementation of a such cryptosystems are: 

1. the sender needs to collect authenticated public keys of the intended 
receivers; 

2. the combiner needs a secure channel to collect (privately) the partial 
results from collaborating participants. 

This paper discusses the above problems and proposes a (t, n) group- 
oriented cryptosystem that works with self-certified public keys, with no 
help of any combiner. 



1 Introduction 

Cryptography provides tools for the implementation of secure services that gua- 
rantee protection of legal rights of individuals and groups. In general, implemen- 
tations of such services become more complex for groups than for individuals, as 
groups can exhibit different structures and richer relations among participants. 
Clearly, the security requirements can vary widely depending upon the size of 
the group and its internal structure. 

The notion of society-oriented cryptography was introduced by Desmedt ^ . 
Unlike classical cryptography, society-oriented cryptography allows groups of 
cooperating participants to carry out cryptographic transformations. Of course, 
members of a group still perform some partial transformations independently. 
To obtain the group transformation, however, they need to cooperate by pas- 
sing their partial transformations to the so-called combiner. If a subset of the 
cooperating participants is authorised, the combiner can successfully perform 
the required group transformation. A more precise definition of society-oriented 
cryptography may be stated as follows: 

A society-oriented cryptographic system is a protocol which allows 
to distribute the power of performing a cryptographic operation among 
a group of participants such that: 
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1. only designated subsets (so called, the authorised sets) of the group 
can perform the required cryptographic operation, but unauthorised 
sets cannot do so. 

2. the knowledge of partial transformations corresponding to an autho- 
rised set of participants (in performance of a particular cryptographic 
transformation) must not help an unauthorised set to perform any 
other cryptographic transformation relating to the group. 

Society-oriented cryptographic systems can be classified into two broad clas- 
ses. If the group that performs the cryptographic operation is with anonymous 
membership, then the society-oriented cryptographic system is called a thres- 
hold cryptographic system, (even though the internal structure of the group is 
not a threshold structure). On the other hand, if the group is with known mem- 
bers, then the society-oriented cryptographic system is called a group -oriented 
cryptographic system. 

Although only a small fraction of all groups in our society are groups with 
known members, there exists numerous examples to justify the needs for group- 
oriented cryptography. For example, suppose the Federal Bank wishes to send a 
message such that a particular set of banks according to an access structure 0 
can decrypt a cryptogram and hence read the message. In this and many other 
similar examples, the intended group is a group with known members. Each 
member of the intended group is either an individual or a group with anony- 
mous membership (from cryptographic point of view, groups with anonymous 
membership act as individuals). 

There has not been much research on group-oriented cryptography. Hwang JZ] 
proposed a shared decryption system in which the sender knows the set of recei- 
vers. The Hwang system utilises the Difhe-Hellman 0 key distribution scheme, 
and concatenates the Shamir JH! secret sharing scheme with a predetermined 
cryptographic system. Franklin and Haber ^ also discussed group-oriented cryp- 
tosystems. Their system uses the ElGamal cryptosystem and is more efficient 
than Hwang’s system. In 0 a group-oriented decryption system based on the 
RSA cryptosystem is proposed. This scheme works with the assumption that 
the authenticated public keys are available from a central key authority or from 
“White Pages” . 



2 Group-Oriented Cryptography 

Let U = {Ui, . . . ,Ui} be the collection of all users in the system. A public- key 
cryptosystem is associated with each user. That is, ki and Ki are the public 
and the secret keys corresponding to the user Ui {1 < i < tj. The set of all 
encryption keys is denoted by £ = {fci, . . . , fc^}. By At and C, we denote the set 
of all messages and cryptograms, respectively. 

^ The group of intended receivers and the access structure that determines how the 
cryptogram can be decrypted are chosen by the sender. 
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A group-oriented cryptosystem is implemented by the sender. It is at the 
sender’s discretion to create a subgroup V Q U of users for whom he encrypts 
a message. In addition, the sender determines a subgroup A ^ V of intended 
receivers who are able to decrypt (collectively) a cryptogram generated by the 
sender. The sender also determines the access policy in the intended group. 

An interesting class of all access structures is the threshold access structure. 
In this paper, we assume that the access policy in the intended group is threshold. 
A set A C P retrieves the message only if |A| > t (f is chosen by the sender). 
More precisely, a (t, n) group-oriented cryptosystem is such that: 

— any set of t or more participants makes the required cryptographic operation 
easily computable; 

— any set of f — 1 or fewer participants cannot perform the required cryptogra- 
phic operation; 

— knowledge of partial transformations corresponding to an authorised set of 
users to perform a particular cryptographic transformation, does not help an 
unauthorised set of users to perform any other cryptographic transformation 
regarding to the group. 



2.1 The Problems 

A {t, n) group-oriented cryptographic system is a collection of two main algo- 
rithms: 

1. sender, who composes the group P C ZY of intended receivers (without 
loss of generality, we assume that the n first indexes are chosen; that is, 
V = {C/i, ..., [/„}), selects the threshold parameter t, collects authentica- 
ted public keys {fci, . . . , fc„} G of users of the group P, and applies the 
encryption function 

The sender dispatches the cryptogram C G C to the members of the group 

V. 

2. combiner, who collects partial decryptions from a set A QP (for the sake of 
simplicity assume that A = {U \, . . . , Ud\) and decrypts the cryptogram as 



fcoM '■ Ai X ... X Aa —>■ M 



where Ai is the set of partial decryptions for [7^ (z = 1, . . . , d). The decryption 
is always successful if the number of cooperating participants is equal to or 
greater than the threshold parameter; that is, d> t. 

Two important issues in implementation of a group-oriented cryptosystem is 
to handle the following problems: 



1. how the sender collects authenticated public keys? 

2. how the combiner privately collects partial decryptions? 
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Problem with collecting authenticated public keys When an individual 
wishes to encrypt a message for a group of users, he has first to collect their 
public keys (that are assumed to be stored in a public directory) and make sure 
that they actually correspond to those users. This assurance may clearly not be 
obtained, if each user is responsible for creating his pair of keys and publishing 
his public key in a directory, because with such a system, nothing can prevent 
adversaries to make fake keys related to a given useiQ. 

The obvious solution to this problem is to provide authenticated public keys 
by connecting users’ public keys to their identities. There are three known ap- 
proaches that require the existence of a trusted authority. 

In the simplest approach, which is often called certificate-based, the authority 
creates a certificate for each user, after having checked carefully his identity. In 
this case, each user visiting the authority is given a certificate of the form R = 
S{k,I), where I is an identification string based on the user’s identity (prepared 
by the authority), k is the user’s public key and S is the authority’s signature. 
The certificate will then be registered in a public directory together with user’s 
public key and his identity. Whenever a user A needs to encrypt a message for 
another user B, he gets {RB,kB,lB) from the directory and checks the validity 
of the authority’s signatures on the pair (kB,lB), using the authority’s public 
key (that everybody is assumed to know). This approach, though having the 
advantage that even the authority does not know users’ secret keys, requires 
a large amount of storage and computation (which essentially depends on the 
signature scheme in use). 

Another approach, known as identity-based, is proposed by Shamir m and 
has been adopted in many public key schemes. The advantage of this method 
is that the user’s identity serves as his public key and the related secret key is 
computed by some trapdoor originated by the authority, so that nobody can 
determine a valid pair of public and secret keys without knowing that trapdoor. 
This leads to a scheme that needs no certificate and no verification of signatu- 
res, hence, reducing the amount of storage and computation. This method has, 
however, the disadvantage that the secret keys are known to the authority. 

A more sophisticated technique combining the advantages of certificate-based 
and identity-based methods is proposed by GiraulQb], which is known as self- 
certified. In this approach, (contrary to identity-based schemes) each user chooses 
his secret key and creates a shadow w of that secret key using a one-way function 
and gives it to the authority. Then, (in contrast to certificate-based schemes) 
instead of creating a certificate, the authority computes the public key k from 
the pair (w, I), in such a way that k may not be computed without the knowledge 
of some trapdoor, while w may be easily determined from k, I. 

In this paper, we adopt the latter approach to guarantee the authenticity of 
the public keys. 

^ Even if there is an authority that controls the public directory and protect the write 
access to it, an adversary can still substitute a public key on the transmission line 
between the user who is asking that public key and the server which supports the 
public directory. 
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Problem with collecting partial decryption It is well known that in society- 
oriented (threshold or group-oriented) systems everyone who knows the partial 
results computed by at least t authorised users can also compute the final result. 
Consequently, it is very important to send partial results to the combiner pri- 
vately. In some situations, where collaborating participants belong to a closed 
organisation (e.g., they work together in the same building) this may not be a 
serious problem, since they usually have no problem for sending their partial 
results to the combiner (that can be a member of that organisation as well) via 
internal mail or personally and in private. 

However, this is not the case in most group-oriented cryptographic systems 
in which the participants of the intended group are either individuals or orga- 
nisations far in distance. Therefore, in group-oriented cryptosystems, in order 
to transmit the partial decryptions to the combiner a secure channel is usually 
needed between the collaborating participants and the combiner. Of course, pro- 
viding the secure channel is expensive and it may not be available when the group 
decryption is required. 



3 The Scheme 

In order to avoid the above mentioned problems, we present a group-oriented 
cryptosystem which utilises self-certified public keys and works with no help of 
any combiner. 

3.1 Implementation of Self-Certified Public Keys 

As in all self-certified schemes, our system assumes the existence of an authority 
that delivers certified public keys to the legitimate users. 

Setup Phase: In this phase, the authority chooses: 

— an integer N as the product of two large distinct random primes p and q of 
almost the same size such that p = 2p' + 1 and q = 2q' + 1, where p' and q' 
are also prime integers, 

— a prime F > N, 

— a base a yf 1 of order r = p'q' modulo N, and 

-- a one-way hash function h, that outputs integers less than the minimum 
value of p' and q', that is, h{m) < min(p', q'). 

The authority makes a, h, F and N public, keeps r secret and discards p 
and q. 

Key Generation: Now, every legitimate user, who wishes to receive messages, 
chooses his secret key x, computes the shadow z = (mod N) and gives it 
to the authority. The authority first interrogates the user about his secret key 
using an authentication protocol (e.g., a variation of the Schnorr authentication 




A Self-Certified Group-Oriented Cryptosystem without a Combiner 



197 



scheme m with composite modulus) who must prove his knowledge of x, which 
is required to be a positive integer. If the authority is convinced of this fact, it 
prepares a string I corresponding to the user’s identity (his name, his address, 
...) and computes ID = h{I). Then, it computes the user’s public key as 

y = (mod TV). 

Note that the inverse of ID modulo r always exists, 

due to the fact that h outputs integers less than p' and q' , which guarantees 
that ID is co-prime to r, for any I. 

Note also that, the user’s proof of knowledge of his secret key and the fact 
that it should be a positive integer is very important, as we will see further in 
this paper. 



3.2 Implementation of a (t, n) Group- Oriented Cryptosystem 

Suppose an individual wants to send a message 0 < m < N to a, group V = 
{Ui, . . . ,Un} of n users of his choice, such that cooperation of any t members of 
the group is sufficient to retrieve the message. 

Encryption: The sender, 

— randomly chooses an integer k and computes c = (a“^)^ (mod N), 

— forms at random a polynomial g{x) = Oq -I- a\X at-\X*'~^ in GF{F) 

such that g(0) = ag = (mod N), 

— computes for * = 1, . . . , n 

Wi = yl^' + IDi (mod N) 

Si = Wi (mod N) 
d^ = g{si) 

6i = m ■ (mod N) 

and sends (t, c, di,ei) to each Ui. 

Decryption: Upon receiving the cryptogram, every group, .4 C P, of at least t 
intended receivers can cooperate to retrieve the plaintext message m. That is, 
each Ui € A first calculates. 



Si = c^' (mod N), 

and broadcasts the pair {di,Si). When t values of such pairs are broadcasted, 
each Ui can recover v = (mod N), which allows him to compute the 

plaintext message as. 



m = v^'ei (mod fV). 
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Verification: Since a group of cheating participants can broadcast false pairs 

{di, Si) to prevent the honest participants to compute the plaintext message, each 
participant needs to verify the correctness of the message that he has computed. 
For this purpose, after having computed the message m, each Ui checks, 

(modiV). 

If the equation holds true, the retrieved message is valid otherwise another colla- 
boration of the intended group can recover the secret, if there exists at least t 
honest participants in the group. 



4 Security Analysis 

In this section we briefly consider two main issues regarding the above cryptosy- 
stem, i.e., forging identities and the ability of decrypting messages by adversaries. 



Theorem 1. Under the assumption that factoring large intergers and computing 
discrete logarithms are difficult, it is computationally infeasible to create a pair 
of related secret and public keys for a given ID. 

Proof, (sketch) After computing z = (mod N), for a given ID, the corre- 
sponding y may be computed from the relation 

y^^^z-'^-ID (mod TV). 



However, this means to break an instance of the RSA cryptosystem (3, which 
is believed to be equivalent to factoring N. 

On the other hand, if one first fixes y, then z can be computed from the pair 
{y,ID) as 

z={y^^ + ID)-^ (modN). 

However, in order to determine the related x, one has to solve a hard instance 
of the discrete logarithm problem with composite modulus, i.e.. 



(mod N) = z. 



It is interesting to notice that, the authority can still create a pair of forged 
keys for a given identity, but the existence of more than one public key for 
a user means that the authority has cheated, since this may only be done by 
the authority. This is exactly why we proposed to compute the public key as 
y = (z~^ — ID)^^ (mod N) and not y = z~^^ (mod N), because in the 
latter case any user having a pair of keys (x,y) can create new pairs (kx,y^) for 
any value of k. As a result, a cheating authority could not be distinguished from 
a cheating user. 

Theorem 2. No group of less than t intended receivers can decrypt a message 
if both problems of factoring large integers and computing discrete logarithms are 
difficult. 
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Proof, (sketch) To decrypt a message, it is essential to know at least 

v = (mod IV). 

Hence, we utilised Shamir’s (t, n) threshold scheme for sharing this value as a 
secret. This means that the calculation of v needs the knowledge of at least t 
pairs {di, Si). So, if t — 1 participants {Ui , . . . , C/j-i, Uj+i , . . . , Ut} try to recover 
V, then they need to know Sj which is actually equal to 

(modiV). 



However, knowing that 

c = (mod N) and Zj = (mod N) 

but without the knowledge of neither Xj nor k, one has obviously to solve a Difhe- 
Hellman problem with composite modulus which is proven to be equivalent to 
factoring N and computing discrete logarithms modulo each prime factoiH 

Note that, without using an authentication protocol at the key generation 
phase to verify the knowledge of the secret keys, a cheating user C may join 
the system in a very special way in order to take advantage of some particular 
situations that we discuss hereafter. 

Instead of computing z with the predetermined protocol, C who knows two 
public keys yi and ?/2 already in use, computes 

yIDi ^ (mod N), 1=1,2 

and sets his own shadow to be 

z = (wir(;2)“^ (mod N). 

Now, C presents z to the authority, which delivers as usual C”s public key as 
y = (mod IV). 

Although C does not know the secret key corresponding to shadow z, when a 
message is sent to a group including C and the two users U\ and U 2 corresponding 
to j/i and ?/2, C may decrypt the message. To do so, C sees e\ and 62 transmitted 
to them and gets his own message data, including e = (mod N). Thus, 

C computes 

61626“^ (mod N) = m - {wiW 2 )^^^^ ■ z^^™^ = m 

without needing partial results from other participants. 

This attack is very useful in situations where the quorum of t honest par- 
ticipants is not reached, which means that other members of the group cannot 
decrypt the message. 



® This problem has been considered by McCurley js] and is proven to be hard as long 
as at least one of the problems of computing discrete logarithms and factoring large 
integers remains intractable. 
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When the authority requires a proof of knowledge of the secret key, then C 
fails because he does not know the discrete logarithm of z he has computed as 
above. However, the attack would still work if C cooperates with U\ and C/ 2 - In 
this case, the discrete logarithm of z is obviously —{xi + X 2 ) that is a negative 
integer. To compute a positive integer equivalent to this, one has to know r that 
is authority’s secret. This is why we required that cc be a positive integer. 

Theorem 3. It is computationally infeasible to decrypt a message without kno- 
wing one of the Xj ’s. 

Proof, (sketch) Although broadcasting the pairs {dt, Si) enables everyone to com- 
pute V = (mod N), the knowledge of v cannot help the adversaries to 

recover m. Without knowing one of the Xj’s, computing the message m from the 
pair V and Cj is straightforwardly equivalent to breaking the ElGamal cryptosy- 
stem [1 with composite modulus, which is known to be equivalent to factoring 
large integers and solving discrete logarithms. 

5 Conclusions 

The paper proposed a ft, n) group-oriented cryptosystem that utilises self-certi- 
fied public keys and works with no help of any combiner. We showed that in 
order to decrypt a message one needs to know at least t pairs {di, Si). However, 
it is still possible to cheat if there does not exist t honest participants in the 
group. In fact, if t — 1 participants transmit their shares then any of the other 
n — (t — 1) participants have enough information to recover the original message 
while none of those t — 1 participants may decrypt the message successfully. In 
the full paper, we show how to prevent this problem. 
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Abstract. This paper reports on how some features of the Macintosh 
operating system, versions 7.1 through 8.1 and perhaps later versions, 
could be used to implement a virus attack unlike any seen previously 
on the Macintosh, but which bears some resemblance to a “Companion 
Virus” style of attack as seen under MS-DOS. We briefly discuss some 
methods used in the implementation of companion viruses under MS- 
DOS, and also examine techniques used by other Macintosh viruses. 
Following an examination of the details of our attack, we discuss generic 
countermeasures to a virus using the attack, one of which in particular 
appears very effective against the attack. 



1 Introduction 

The Macintosh virus world is not as active as that of PC and PC-compatible 
computers. There are only a few dozen Macintosh viruses and variants of those 
viruses known, not counting macro viruses. To the best of the authors’ know- 
ledge, the techniques described here are not employed by any existing Macintosh 
virus. 

A “companion virus” is a variety of computer virus which avoids modifying 
the files that it “infects” . Having discovered what we considered a weakness in 
the Macintosh operating system, which could potentially be exploited to con- 
struct a computer virus of this type which has been previously unknown on the 
Macintosh, we decided to explore the consequences of this in more detail, and to 
attempt to devise some countermeasures to the attack that could be implemen- 
ted by anti-virus software to enhance its effectiveness against a virus employing 
these techniques. Macintosh users and anti-virus vendors should be aware of the 
possibilities we outline. 

Implementations of companion viruses under MS-DOS will be briefly explai- 
ned in Section LL^ The dangers posed by a companion virus attack are outlined 
in Section H .81 Section El gives an overview of common techniques used in viru- 
ses on the Macintosh. Background on workings and features of the Macintosh 
operating system exploited by the attack we describe is covered in Section El 
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Details of the attack and some thoughts on detecting and countering the attack 
are covered in Section g| 

In the interests of not supplying sufficient information to allow the easy 
implementation of a functioning virus, only the basic ideas behind the attack 
will be discussed. We feel that the security community is better able to respond 
to a potential security problem of this nature with some degree of foreknowledge 
of the problem. We present some ideas on how it might be combated. 

1.1 What is a Computer Virus? 

The formal definition of a computer virus, due to Dr. F. Cohen, has been used 
to prove a variety of interesting results ^ pp. 164-187] Q. However, a more ac- 
cessible English definition that is still thought to describe the essential elements 
of computer viruses in practice is: 

We define a computer ‘virus’ as a self-replicating program that can ‘in- 
fect’ other programs by modifying them or their environment such that 
a call to an ‘infected’ program implies a call to a possibly evolved, and 
in most cases, functionally similar copy of the ‘virus’, 

The term “infect”, where used, is used with respect to computer viruses in 
the sense of the definition above throughout the remainder of this document. 

Computer viruses fall into a number of different classes, with some degree 
of overlap, such as file infectors, which modify various executable objects, for 
example . EXE and . COM files under MS-DOS, to contain the viral code, or boot 
sector infectors, which replace or modify the machine instructions stored on 
disk and executed as part of system startup. 

Another of the varieties of computer virus is the companion virus. 

1.2 What is a Companion Virus? 

A companion virus is of interest because it does not modify any of the files which 
it infects. Instead, it creates a separate executable file to hold the virus body. 
Implementations of such a virus depend on the operating system; two basic types 
of companion virus which could be created under MS-DOS are 00: 

Regular Companion or Corresponding File Virus 

Creates a file in the same directory as the target of infection but with a 
filename extension which the operating system chooses to execute before 
that of the original file when the extension is not explicitly specified (for 
example, under MS-DOS a . COM file with the same name as a . EXE file and 
in the same directory is executed before the . EXE file if the file extension is 
not specified). 

PATH Companion: 

Create a file with any executable extension in a directory that is searched 
for executable files before the directory containing the target of infection. 
Named after the PATH environment variables found in operating systems 
such as MS-DOS and UNIX. 
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Magruder also discusses “surrogate file viruses” , a type of companion virus 
which renames the executable file being infected and replaces it with a copy of 
the virus program. 

The Macintosh, however, does not have the concept of a “path” which is 
followed when searching for executable files, relied upon by the path companion 
virus, or the notion of filename extensions, relied upon by a regular companion 
virus. However, several features of the Macintosh operating system enable an 
attack that appears very similar in conception if not in execution. 



1.3 Dangers of Companion Viruses 

Bontchev 0 describes companion viruses as one possible attack against an anti- 
virus measure known as an integrity checker. Magruder 0 also discusses 
the possibility that a companion virus infection may be missed by an integrity 
checker that is not aware of this type of attack. 

An integrity checker works by computing some variety of hash or checksum (a 
“signature” ) of files believed to be at risk of infection by a virus. These signatures 
are stored, and at some future date may be recomputed and compared to the 
originals; if there is a difference, then the file corresponding to that signature has 
changed, and this change may be the result of a virus infection — many common 
viruses infect executable code by altering it in some way, and an integrity checker 
detects the modifications made by the virus. They can be useful in detecting the 
presence of known and unknown viruses. 

However, integrity checkers are not able to detect companion viruses by this 
approach, as these viruses do not alter any file which is a target of infection. 
Instead, they alter the environment of the file. So to detect this type of virus, an 
integrity checker must be modified to also monitor changes in a file’s environ- 
ment. For example, under MS-DOS the appearance of a .COM file in the same 
directory as a .EXE file, where none had been observed previously, would be a 
suspicious occurrence that an integrity checker could detect. Checking directory 
modification times might also prove useful. A virus-specific anti-virus measure 
could then be applied to determine if the suspicious occurrence is the result of 
a virus. 

2 How Macintosh Viruses Work 

Most existing Macintosh viruses infect executable code intended to run on a 
Macintosh based on one of the Motorola MC680x0 series of microprocessors. The 
first Macintosh computers based on PowerPC microprocessors were introduced 
in 1994, ultimately replacing the 680x0 in new computers. Programs containing 
code only for 680x0-based Macintoshes continue to function because operating 
system software running on the new microprocessors provides an emulator for 
680x0 code |0 Ch. 1]. Most viruses are written for 680x0-based Macintoshes; 
they continue to be a threat to 680x0-based applications on PowerPC-based 
Macintoshes as a consequence of the compatibility provided by this emulator. 
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The following discussion relating to the organization of executable code on a 
Macintosh applies only to applications containing code intended for a 680x0- 
based Macintosh. 

Every Macintosh file is composed of two forks, a data fork and a resource 
fork. The data fork contains a file’s data — for example, a text file would contain 
ASCII text in the data fork. The resource fork contains a file’s resources. An 
application program’s resource fork contains the application’s executable code P, 
p. 1-4]. Resources within a particular file are described by a resource type (a 
four-letter code), and an ID number (2-byte signed integer). 

The executable code for an application is usually divided up into a number of 
segments, each segment stored in a “CODE” resource. Only some of these must 
be in memory at certain times; code segments will be loaded when needed and 
may be unloaded when not required. This enables large application programs to 
be run in limited memory. Segment loading, and references from one segment 
to a routine located in another segment are coordinated using a table created 
when the executable code is linked by a compiler. This table, the jump table, 
is stored as the “CODE” resource of ID 0 P, Ch. 7]. The first entry in the jump 
table specifies the first code that will be executed when an application is run. 

A virus that infects an application program then has two ways in which it 
may proceed. First, it may add a new code segment to the application’s resource 
fork, and adjust the jump table to refer to the new segment, usually as the first 
code that is called when the application starts executing. Having performed its 
startup tasks, the virus can replace the original jump table entry, saved during 
the infection process, and jump to it. This strategy is used by the nVIR family 
of viruses P| and also by the INIT 29 virus P], among others. 

Second, a virus might instead choose to append its code to an existing code 
resource, perhaps not modifying the jump table at all. Complications can arise 
due to resource size limitations, however. The ZUC family of viruses are an 
example of the use of this strategy P. 

Such a virus is presented with a problem in becoming permanently resident 
in memory, and arranging for calls to virus code at a later time. Patches may 
be applied to many calls provided by the Macintosh operating system, but will 
only have global effect when applied at system startup P, p. 8-9]. So many 
viruses that infect application programs also infect the operating system, either 
directly or by infecting a system extension that loads at startup, so that virus 
code is executed when the computer is rebooted. Otherwise, the virus will cease 
to be effective once an application exits. The nVIR family [ 3 ] and INIT 29 m 
are examples of viruses that behave this way. Viruses of the ZUC family infect 
applications only, not the operating system, however m- 

Patching can also be used by anti-virus programs, to attempt to detect signs 
of virus activity. The suspicious activity could perhaps be blocked, logged, or 
reported to the user. 

Other viruses work by modifying or overriding code used by the operating 
system. The WDEF virus worked by overriding the code used by the operating 
system to draw windows on the screen, and did not involve making any modifi- 
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cations to application programs or making direct modifications to the operating 
system m- Some of these viruses are no longer effective, as operating system 
features on which they depended were changed or removed m- 

One recent virus-like program, the AutoStart worm uses techniques not 
seen previously in Macintosh viruses. It relies on a feature of QuickTime, Apple 
Computer’s software architecture for creating and viewing digital media. The 
AutoStart feature allows an application to be designated for automatic execution 
whenever disks are mounted. When the virus is executed, the operating system 
is infected. The virus becomes active on the next reboot, searching periodically 
for other media, like floppy disks, to infect. This virus/worm spreads well, but 
is easy to remove by hand. The AutoStart feature may be disabled to prevent 
future infection. 

We describe here techniques which could potentially be used by a virus, which 
do not involve any modification of application programs or the operating system 
during the process of infection, unlike most of the techniques outlined above. 
We feel the style of the attack is very similar to that employed by companion 
viruses under an operating system such as MS-DOS; hence the name. 



3 More Macintosh Basics 

This section explains some aspects of the Macintosh file system and operating 
system which will be required to understand the description of the attack to fol- 
low. These details, and the attack description, are valid with respect to versions 
of the Macintosh operating system from 7.1, which is now several years old, to 
8.1, the latest available to the authors when this paper was prepared. 



3.1 File Types and Creators 

Every file used on a Macintosh computer has both a file type and file creator 
associated with it. 

The file creator is a four-byte code, usually a combination of various ASCII 
characters, which is identical to that of the application program (the package 
of executable code which is executed directly by the computer user in a variety 
of possible ways; henceforth it will be referred to simply as the “application”) 
responsible for creating that particular file. Each application in turn defines a 
number of file types, each of which is another four-byte code, again usually 
a combination of various ASCII characters, that describes the nature of the 
data stored in the file. These codes need have meaning only to the application 
concerned. 

Files of certain types may be used by many different applications. For ex- 
ample, files of type TEXT are files that consist of plain ASCII text that requires 
no special handling, so that they may be viewed and altered by applications 
other than the creating application. A file of type APPL is the common variety 
of executable program file of most interest to a computer user (there are several 
other types of executable files which are not of interest here) . 
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An application typically defines an icon, or small graphical symbol, for each 
file type which can be created by that application, to help users easily determine 
which application was responsible for creating the file. 

3.2 The Desktop Database 

The Desktop Database is a collection of information maintained and used by the 
operating system. Its format does not appear to have been publicly documented. 
The function of the Desktop Database which is of interest is that it stores infor- 
mation about the location and creation date of applications. Information about 
the icons used by files created by particular applications is also stored here. 

Not every type of disk has a Desktop Database. For example, floppy disks 
(storing about 1.4 megabytes) do not have a Desktop Database, but instead 
have a simpler structure which performs similar functions. Our attention here is 
confined to disks which do have Desktop Databases, such as hard disks, or for 
which one is created, such as AppleShare volumes pp. 9-3-9-4J. 

The Desktop Database is used when the operating system creates its graphi- 
cal display of windows and icons — the icon that should be displayed for a file 
with a certain type and creator may be determined using the Desktop Database. 

It is also of use when determining which application program should be star- 
ted when the user opens a file, if an application with the appropriate creator 
code is not already executing. Commonly this is done by double-clicking on the 
file concerned using the mouse, although there are other methods which achieve 
the same effect. In order to make use of this file, the operating system must start 
an application which can interpret the contents of the file. 

Usually there will be a single application with a certain creator code on a disk. 
However, it is possible to have several applications with the same creator code on 
the one disk. Although according to a technical note m the application which 
is the “first choice” is the one with whose information the Desktop Database 
was last updated, correcting earlier documentation stating that the “first choice” 
application was the one with the most recent creation date p. 9-5], it appears 
that in most cases the application selected will be the one with the most recent 
creation date. Even after rebuilding the Desktop Database, a process that may 
be initiated by the user and which is sometimes useful in troubleshooting, the 
application selected is the one with the most recent creation date. It is critical 
to the attack described in Section 0 that the application selected for execution 
be the viral application. 

3.3 Starting an Application 

When the user starts an application by opening a file or files in some manner, 
the application is notified by the operating system of the files that were selected 
by the user. 

This is accomplished using an Apple Event, which is a type of high-level 
event commonly used for interapplication communication. There are many dif- 
ferent types of Apple Event, and applications may define their own. In the case 



208 J. Horton and J. Seberry 



being considered here, the operating system sends an “Open Document” (odoc) 
Apple Event to the application when it has started executing to inform the 
application of the location of the files that the user wishes to open using that 
application. 

Not all application programs support receiving Apple Events; a program that 
does not support these events is not a candidate for infection by the method we 
will describe. Applications may provide Apple Event support but don’t themsel- 
ves “own” any files; as will be seen, such applications are not good candidates for 
infection. However, many common application programs that create files that are 
“owned” by that application support these events, and would be more difficult 
for users to work with if they did not. 

4 A Macintosh “Companion Virus” 

How might these facilities provided by the operating system be used to imple- 
ment a viral attack? If the application required is not already running and is 
not specified, only the documents that are to be processed, then the operating 
system must identify and execute the appropriate application(s) itself, passing 
an event to the application to inform it of the documents it is to process. When 
there exists more than one application on a given disk with the particular creator 
code, the operating system selects the one with the most recent creation date. 

So it suffices to infect an application by creating an application program with 
the same creator code as the other application that is the target of infection, but 
with a more recent creation date, such that the operating system executes the 
viral application in preference to the application which is the target of infection. 

Then, when an infected application is launched, to make it seem as though 
everything is normal, the viral application performs the following tasks: 

1. Intercepts the event intended for the infected application which is sent by 
the operating system; and 

2. Runs the infected application and forwards it the intercepted event; soon 
after completing this step, the viral application would exit, to avoid easy 
detection. 

There are a number of other details which must be handled to create an 
effective virus. As an example of these details, it is useful to preserve the original 
application icon information, which is usually overridden by the icons applicable 
to the more recently created application, so that visual displays look unchanged. 
We are reluctant to discuss solutions to such problems here, in the interests of 
not revealing enough information to easily create an effective virus. 

It is possible to extend the implementation to handle Apple Events sent to a 
newly-launched application under other circumstances and that require different 
handling. However, the presence of the viral application can result in behaviour 
that differs slightly from that of the pre-infection state. 

Cooperating applications might use other types of high-level events that are 
not Apple Events. We consider this to be sufficiently uncommon that the possi- 
bility is not addressed here. 




Companion Viruses and the Macintosh: Threats and Countermeasures 



209 



Clearly this attack bears some resemblance to a companion virus style of 
attack as described in Section o 

It should be noted that it is certainly possible to specify exactly which ap- 
plication program is to be used to manipulate a particular file or files; such a 
virus would rely on the fact that it is more convenient to permit the operating 
system to identify and run an application than to perform this task manually. 

Some consideration has been given to how such a virus might become resident 
in memory; that is, how it might place viral code somewhere in memory and 
arrange for it to be executed at some time in the future, long after the viral 
application itself has ceased to run. Installing a device driver is one possible 
option. Device drivers are not required to deal with devices at all; other uses 
have been found for them. A device driver can elect to receive calls from the 
operating system to perform periodic tasks — in the case of a companion virus, 
such a periodic task could be searching the list of currently running application 
programs, infecting any that appear to be uninfected. 

4.1 Detection 

The mere presence of several applications with the same creator code on a Ma- 
cintosh computer system is not something which should cause any alarm, and 
is not enough to conclude that an application program has been infected by 
a companion-type virus. This situation commonly arises when, for example, a 
new version of an application package is installed without removing the previous 
version. An integrity checker would need to monitor other information to help it 
decide how alarming the presence of multiple applications with the same creator 
code is. For example, as a companion virus would most likely be a much smaller 
file and of a simpler structure than an application that has some more useful 
functionality, the presence of two application programs with the same creator 
code but very different sizes or structures might be considered suspicious. 

It would be useful for an integrity checker to keep track of the locations of 
legitimate applications, and require authorisation from the user to recognise a 
new or moved application. An integrity checker that is aware of legitimately 
installed applications can consult the Desktop Database for a specific creator 
code to determine if any new applications have been added. 

There are a number of system calls which may be of use in implementing 
such a virus and which may be considered suspicious by a behaviour monitoring 
program. A behaviour that is a characteristic of such a virus is a need to launch 
the infected application. As the viral application and infected application have 
the same creator codes, if a patch were installed on the operating system routine 
responsible for launching an application, it could check the creator code of the 
application originating the request against the creator code of the application 
being launched, and refuse to launch an application having the same creator code 
as the one making the request; an indication to the user that suspicious activity 
has been detected would certainly be appropriate. There are various ways that 
might be used by a virus to circumvent such a check, but employing this check 
cuts off the simplest and most straightforward way for one application to launch 
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another application. An occasion where one application might legitimately need 
to launch another with the same creator code seems most unlikely. 

As the virus exists as an application separate to the infected application, 
checks on the creation of applications may also be effective. Some anti-virus 
applications will likely include such checks, at least as an option, as it may be 
effective against other varieties of virus. However, this is not as specifically targe- 
ted against a companion virus attack as the previous countermeasure, and would 
not seem to be appropriate to as wide an environment — for example, people 
working with compilers may find checks on creation of application programs 
produce many false alarms. 

Under OS 8.0 and 8.1, application files may be marked as “invisible” or be 
located within invisible directories, and still be executed successfully when a 
document is double clicked. Under most earlier versions of the operating system, 
this is not the case0. Although under some OS versions applications may be 
hidden, as there would seem to be no good reasons for this, the presence of such 
concealed applications could even be seen by an anti-virus program as being 
suspicious. Substituting a non-hidden application if available for a hidden one 
at time of execution is a potentially useful strategy. Fixing the operating system 
to ignore hidden applications would also be a useful strategy. 

The possible utility that a device driver might have for a companion virus is 
discussed in Section 0 There are many legitimate reasons that a program might 
wish to install a device driveifl. As a device driver is potentially of use in a virus 
attack, it would be useful to check drivers for suspicious code that might perform 
virus-like actions when installed. 

Other calls by the virus may also be able to be monitored. For example, 
the companion virus might use the PBDTAddAPPL call to update the Desktop 
Database with information about the newly created viral application when per- 
forming an infection, rather than waiting for the operating system to update 
the Desktop Database with information about the new application at some time 
in the future. Apple documentation discourages the practice of making modi- 
fications to the Desktop Database HZl p. 9-3], so it might also be viewed as a 
suspicious event. 

4.2 Demonstration Program 

A non-viral application program demonstrating this attack has been created by 
the authors. The demonstration program has been found to work appropriately 
in a variety of environments — single and multiple partition Macintosh hard 
drives, removable media such as Zip disks, and a simple network consisting of 
two Macintosh computers. 

^ Sometimes invisible applications will be launched under earlier versions of the ope- 
rating system where this is not normally the case, but apparently only just after 
the application has been made invisible. This appears to be due to stale catalog 
information being read from the disk; this behaviour passes quickly. 

^ For example, they are commonly used to implement virtual disk schemes, where the 
raw disk data resides in a large container file. 
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4.3 Dangers Posed? 

Having discussed a method by which a companion virus for the Macintosh might 
be written, some consideration ought to be given to the dangers posed by an 
attack of this nature. 

It is more difficult for a virus constructed in this manner to remain undetec- 
ted and to spread between systems. Under most OS versions prior to 8.0, this 
variety of virus must exist as a distinct non-invisible file on the disk if it is to 
be executed, and is noticeable by an observant user. Furthermore, in the inte- 
rests of surviving to multiply, such a virus if visible would place itself somewhere 
not associated with the infected application, and so would be unlikely to spread 
through distribution of software archives. 

Under OS versions after and including 8.0, this variety of virus has more 
options. It could even conceal itself in the same directory as the application 
which is the target of infection, which enhances its chances of distribution via 
software archive. 

Such a virus may be able to spread via a local area network to another 
Macintosh. Its ability to spread across a network could of course be slowed by 
proper configuration of user permissions. In particular, users should not have 
permission to make changes on network volumes unless absolutely necessary. 

The attack is rendered considerably more potent if the virus is able to become 
resident in memory. One way that this might be accomplished is outlined. 

The attack is perhaps most dangerous if the virus so constructed is capable 
of two modes of infection. For example, one time in ten the virus might infect by 
modifying the target program in the manner of a file-infecting virus; although it 
would be readily detected by an integrity checker, and perhaps by a behaviour 
monitor, this would improve its chances of spreading to another computer. The 
undetected copies of the virus which infect using the “companion” strategy would 
form a reservoir for future infections. 

5 Conclusion 

We have considered a possible virus attack that could be implemented under the 
Macintosh operating system. The attack has a good resemblance to a companion 
virus style of attack. 

The authors know of no Macintosh viruses implementing an attack such as 
we describe here. The attack is not believed to pose as great a danger as other 
varieties of computer virus, due to limitations of the implementation described. It 
could, however, avoid detection by an integrity checking program or other generic 
anti-virus measures that were not aware of the possibility of this implementation 
of the companion virus strategy. 

We discuss various countermeasures that might be employed against such 
a virus. We believe that the most effective of these measures is to check the 
creator code of the application attempting to launch another against that of the 
application being launched, and to abort the request if the creator codes match. 
Infection is not prevented, but is readily detected. 
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Abstract. The NFS protocol provides transparent remote access to sha- 
red hie systems across networks. It is very popular particularly in Unix 
networks where it is probably the most common distributed hie system 
technology. NFS however is rarely used outside closed protected net- 
works, because its security is notoriously weak. In 1998 Sun Microsy- 
stems released what is considered the hrst attempt at providing compre- 
hensive security to NFS: a security havour called RPCSEC_GSS based 
on Kerberos V5 and the GSS-API. The main beneht of this version over 
previous versions is that for the hrst time each NFS hie access call could 
be protected. This paper outlines our efforts to secure NFS producing a 
security solution with even greater functionality. The major new func- 
tionality is that users may optionally use an access control system based 
on role based access control (RBAG). RBAC allows users to log in, be 
provided with a role, and use this to transparently access their remote 
hies through secure NFS. There are also other advantages provided, for 
example security for the mount protocol and the option of public-key 
technology for authentication and key distribution. NFS has been se- 
cured with SESAME V4 and the practicality and performance of this 
mechanism has been demonstrated by modifying the Linux kernel and 
NES utilities. 



1 Introduction 

The NFS protocol provides transparent remote access to shared file systems 
across networks 0- It is designed to be hardware, operating system, and net- 
work independent. The independence is achieved through the use of the Remote 
Procedure Call (RPC) and the External Data Representation (XDR) |2i| . 
NFS Version 2 is specified in RFC1094 ^3 3.nd the more recent NFS Version 3 
is specified in RFC1813 Q- 

The security of NFS relies on the underlying RPC implementation. RPC 
provides a number of security alternatives called authentication flavors. In the 
case of NFS the important flavors are: 
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— AUTH.SYS: When this flavor of authentication is used, the server recei- 
ves on each call the client’s effective user identifier (UID), effective group 
identifier (GID), and supplemental group identifiers. The server uses these 
identifiers to determine if access can be granted. It is assumed that the same 
UIDs and GIDs are used on both client and server, or that there is some map- 
ping in place. AUTH_SYS is the most common authentication flavor used 
for NFS but is notoriously weak. The scheme doesn’t authenticate the users 
to the NFS Server, and there is no security for the NFS file access calls |2|. 

— AUTH.DH and AUTH_KERB4: These flavors provide greater strength 
in authentication and use Diffie-Hellman ^ in the case of AUTHJDH and 
Kerberos authentication [2^ for AUTHJKERB4. The client and server must 
agree on particular names. This name is more operating system independent 
than the UID/GID scheme. Both users and NFS server are authenticated. 
Unfortunately the scheme also provides no security for NFS file access calls. 

— RPCSEC_GSS: This is the most recent flavor announced and was released 
by Sun Microsystems in 1998 [3|. The implementation is based on using Ker- 
beros V5 m and the Generic Security Services Application Programming 
Interface (GSS-API) HSCg. Sun first announced provision for Kerberos V5 
security using the GSS-API in its RPG implementation in [YliSIJ . following on 
similar work done at OpenVision P2|. The identification is based on names. 
The RPGSEG-GSS is a big improvement on the previous releases because it 
provides the additional option of security for the NFS file access calls. 

This paper describes an implementation of RPGSEG_GSS security based on 
SESAME V4 (described in AppendixE). Similarly to Sun’s implementation the 
system is based on using SESAME’s GSS-API to secure the RPG. During the 
implementation RFG2203 0| was followed which describes Sun’s RPGSEG_GSS 
flavor for RPG. The fact that this could be accomplished reinforces the GSS- 
API’s claim to mechanism independence. A detailed description and performance 
figures of the SESAME GSS-API RPG is outside of the scope of this paper and 
can be found in P^. 

Because SESAME V4 was used instead of Kerberos V5, the implementation 
differs in a number of ways from Sun’s implementation. SESAME V4 provides an 
access control service based on RBAG. This allows a user to acquire credentials 
containing their role(s). Hence access control decisions can be based on the user’s 
role. SESAME V4 also provides other differences for example authentication and 
key distribution services using public-key technology. 

Additionally, the NFS mount protocol has been secured. This allows the 
system to detect whether there is any masquerading by NFS Ghent or NFS 
Server at the point of mounting. The mount protocol has not been secured with 
any previous flavor of NFS. 

The aim of this paper is to describe the design and implementation decisi- 
ons that were made in building a SESAME V4 secured NFS. The system was 
implemented on Linux. The performance figures are included so the reader can 
determine the impact of adding security. For the rest of this paper SESAME is 
used to refer to SESAME V4. 
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The paper is set out as follows. The next section describes how SESAME 
was used to secure the mount protocol. Section 3 includes an outline of how 
file accesses were secured with SESAME. This emphasizes the difficult decisions 
involved with putting SESAME security into the operating system. Section 4 
then describes the major innovation achieved with SESAME: using RBAC for 
NFS access control. The paper finishes with our conclusions. 

2 Implementation of SESAME Security for mount 

The basic NFS system is explained in Appendix 0 There are two main limitati- 
ons to the current mount protocol (note that none of the existing authentication 
flavours secure the mount protocol): 

— The NFS file handle can be eavesdropped as it passes from NFS Server to 
NFS Client. Since the NFS Client uses this file handle to access the mounted 
filesystem it should be protected. 

— There is no authentication of the NFS Client or NFS Server. 

The mount protocol was modified to provide SESAME mutual authentication 
of NFS Client and NFS Server and SESAME protection of the NFS file handle 
during transfer from NFS Server to NFS Client. 

Before the mount protocol begins, the mount program and mountd must have 
access to the appropriate SESAME credentials. In the case of the mount program 
it uses the root user’s credentials that have been acquired through logging into 
the SESAME domain security server, mountd has credentials allowing it to act 
as a server once it has been defined in the SESAME database and given access 
to the appropriate cryptographic information. Using these credentials, the NFS 
Client and NFS Server (through mount and mountd) mutually authenticate and 
establish a security context using calls to the GSS-API. Within this security 
context the request and NFS file handle response are protected using the GSS- 
API data protection routines. 

The system also works if mounting occurs at boot time, or if an automounter 
is used, as long as the SESAME Security Servers are started first, and a boot 
script logs in the root user to SESAME. 

The advantage of securing the mount protocol is that the NFS system knows 
whether the NFS client or NFS Server are being masqueraded at the point of 
mounting, and the NFS file handle cannot be eavesdropped. 



3 Implementation of SESAME Security for File Access 

When a user on an NFS Client tries to access a file on a mounted file system 
there are a number of security considerations: 

— The user and NFS Server should be mutually authenticated. 

— The file system calls between the NFS Client and NFS Server should be data 
protected. 
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— The NFS Server should be able to validate the user’s privileges. 

SESAME provides all three security services. Note however there is an addi- 
tional complexity for the file accesses. Some of the NFS services are provided by 
the kernel (the kernel level NFS Client program) and hence SESAME may be 
required in the kernel. The implications of this are discussed by describing three 
options for the implementation: 

— All SESAME client code inside the kernel: In this option all of the 
SESAME client code is placed inside the Linux kernel as part of the kernel 
level NFS Client program. This option is the optimal solution if speed is the 
only requirement. The disadvantage of putting the SESAME client code in 
the kernel is that it would become a much larger kernel. This is a problem 
because the kernel can’t be swapped out of main memory, and the larger the 
kernel the more run-time memory is used, and the less memory is available for 
applications. Hence bloating the kernel unnecessarily is poor programming 
practice. There is no doubt that putting all of the SESAME client code in 
the kernel would bloat the kernel above acceptable limits. 

A separate security daemon for all NFS client security operations: 
In this option a separate user level daemon is used at the client to perform 
the SESAME functions. The kernel level NFS Client program would make 
requests to the daemon for all SESAME security (security context establish- 
ment followed by data protection) . The advantage of this option is that the 
kernel is relatively unchanged in size because all of the SESAME code is in 
the User level daemon. The main disadvantage is that the system is much 
slower. There are user level NFS Clients available, but these are rarely used 
in place of kernel level ones, because of the performance reduction. It is far 
too slow to put all NFS operations outside of the kernel. 

Compromise: security context outside the kernel, data protection 
inside the kernel: In this protocol a separate daemon at the client is used 
to perform the SESAME context establishment, but the SESAME wrapping 
functions are placed in the kernel. This option is therefore a compromise 
between putting all of the SESAME client code in the kernel as in the first 
option, and putting all of the SESAME client code outside the kernel as in 
the second option. This option uses a user level daemon to perform context 
establishment with mutual authentication of the user and nfsd. This is slower 
than using the kernel but moves a lot of the SESAME client code out of the 
kernel. Also context establishment only occurs once for each user accessing 
each file system, so performance delays are for the first access only. The pro- 
tection of the individual file requests occur inside the kernel using SESAME 
calls. The increase in size of the kernel is reasonably small (a few percent of 
the kernel size), with the speed benefit of running inside the kernel. Placing 
the data protection calls inside the kernel also results in a minimal overhead 
to the performance of all but the first NFS operations. 

Because of the balance between a mild increase in kernel size and a reasonable 
decrease in performance, the compromise scheme was implemented. 
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4 Role Based Access Control 

RBAC is a relatively new access control paradigm that provides an alternative to 
traditional Discretionary Access Control (DAC) and Mandatory Access Control 
(MAC) models. The aim of RBAC is to simplify security management by provi- 
ding access control that more closely aligns to most organizational structures. 

SESAME provides an RBAC service that has the potential to simplify the 
security management of file systems. To test this, an access control service for 
NFS based on SESAME RBAC was implemented. 

The central notion of RBAC P! is that access permissions are associated 
with roles, and users are given the ability to act in certain roles. This is a change 
from most traditional access control schemes where permissions are associated 
with users. The comparison is shown in Figure ^ with the top of the figure 
showing the traditional model, and the bottom part of the figure showing the 
RBAC model. Note also on the figure the use of the terms user manager and 
resource manager. They are used throughout the remainder of this paper. 

To help describe the RBAC requirements and design decisions that were 
made, a reference role based model created by the authors is used. 



User 



Resource 



Traditional 
Access Control 



Managed by 
Systems Administrator 




Managed by Managed by 

User Manager Resource Manager 



Fig. 1. Traditional Versus Role Based Access Control 



4.1 Reference RBAC Model 

Figure 0shows the reference role based model. Obviously, it is a subset of a full 
medical role based model, but it includes many of the important features of a 
role based implementation (we use the terminology introduced by Sandhu et al. 
in pS]): 

1. Inheritance: The medical model requires inheritance of privileges between 
roles and this is shown in the figure as a role hierarchy. In the hierarchy 
depending on where your role(s) are in the tree you automatically get the 
privileges of those roles lower in the tree (on the same branch). For example 
a pharmacist can access those objects accessible by the pharmacist role, 
and also automatically those objects accessible by the employee role (unless 
explicitly denied access). 



218 



P. Ashley, B. Broom, and M. Vandenwauver 



Specialist 




Fig. 2. Medical Role Based Model 



2. Constraints: The medical model requires constraints on privileges between 
roles. The particular type of constraint required is separation of duties. In 
the model for example, a person cannot both act as a doctor or specialist (a 
person who prescribes medication) and a pharmacist (a person who dispenses 
medication) . 



Table 1. Rules for Medical Resources 



Resource 


Controller Role 


Affiliation 


Operations 


Employee Form Resource Manager employee 




rw 


Patient 


Resource Manager nurse 


ward 


rw 


Daily Log 


supervising nurse 




r 




doctor 


ward 


r 




specialist 


ward 


r 


Patient 


Resource Manager nurse 


ward 


r 


Medical Record 


doctor 


ward 


rw 




specialist 


ward 


rw 


Patient 


Resource Manager administrator 




rw 


Admin Record 


admin- manager 




r 


Patient 


Resource Manager doctor 


ward 


rw 


Medicine Script 


specialist 


ward 


rw 




pharmacist 


ward 


r 


Personal Files 


Creator undefined 







There are additional requirements not obvious from the figure but they can 
be identified if specific medical resources are examined (see Table ^ : 

3. Role Affiliation: In many organizations the term role affiliation is very 
useful [ 111 ) 118 ] . For example, although a Nurse may have access to a patient’s 
daily logs, it may only be for patients in the Nurse’s ward. 

4. Flexibility for Users: RBAC by its nature is non-discretionary |0. That 
is, the resource managers decide the permissions of all objects in the system. 
In most cases a weakening from those strict requirements is more suitable in 
that there is a need to support two types of files in the system: organization 
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files would be non-discretionary in that the permissions on those files would 
be set by the resource manager, and personal files would be discretionary in 
that the creator of those files would set the permissions on them. 



4.2 Implementing RBAC Using Unix Access Control 

Unix provides the group mechanism which has some similar concepts to a role. 
Users can be members of groups, and permissions on objects can be set for the 
group rather than particular users. There are therefore two sets of databases: 
users and groups, and for each object groups and permissions. 

There are essential differences though between RBAC and the Unix group 
mechanism. The first is who can modify the permissions on the resources. Unix 
has a discretionary access control system (in that the creator of the object sets 
the permissions) whereas RBAC is essentially non-discretionary (in that the re- 
source manager should set the permissions) . Another difference is that to imple- 
ment a role hierarchy, it may be necessary to translate a single role into multiple 
Unix groups. 

To implement RBAC with groups each role can be translated into a corre- 
sponding group (or into a number of groups to implement the hierarchy) and 
an additional mechanism needs to enforce the non-discretionary nature. Unix 
provides a simple solution for this. For each object in the system, the owner is 
identified, and Unix allows only the owner to set the permissions. Therefore if 
the owner could be set to be the resource manager and the permissions set ac- 
cording to the resource manager requirements, RBAC can be implemented with 
Unix groups. 



4.3 Implementing Roles as Groups 

Table ^ shows how to implement the RBAC model from Figure ID with Unix 
groups. Each role is directly translated into a group, and the role hierarchy can 
be easily implemented by translating a role into multiple groups. One of the limi- 
tations though of the traditional Unix permission structure is that there is only 
one group implemented for each object. For example, typical Unix permissions 
on a file called project could be: 

-rw-r 4 resource nurse 512 Sep 25 1998 project 

This indicates that the owner is resource (the resource manager) and the 
group is nurse. All members of the group nurse have read access to the file. 
These single group permissions have been seen as too restrictive for some time, 
and many new versions of Unix are implementing multiple group permissions (for 
example newer versions of Sun Microsystem’s Solaris operating system provide 
ACLs for each object). 

Assuming the implementation is done on a newer version of Unix with the 
ability to list multiple group permissions per file, the medical RBAC model could 
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Table 2. Implementing Roles With Unix Groups 



Groups 


Members 


employee 


pharmacist, nurse, super_nurse, doctor, specialist, admin, admin_manager 


pharmacist 




nurse 


super_nurse, doctor, specialist 


super_nurse 




doctor 


specialist 


specialist 




admin 


admin_manager 


admin_manager 



Table 3. Implementing the Medical Model with Unix Permissions: Multiple Groups 



Resource 


UID GIDl 


GID2 


GID3 


Employee Form Resource Manager employee 


Patient 


Resource Manager nurse 


super .nurse 


doctor 


Daily Log 


rw 


r 


r 


Patient 


Resource Manager nurse 


doctor 




Medical Record 


r 


rw 




Patient 


Resource Manager admin 


admin .manager 




Admin Record 


rw 


r 




Patient 


Resource Manager doctor 


pharmacist 




Medicine bcript 


rw 


r 




Research 


Creator doctor 






Files 


r 







be implemented as shown in Table Q The first column gives the file types from 
Tabled, and the next columns give the Unix permissions that would be necessary 
to implement the RBAC scheme. With the role hierarchy implemented, and using 
the resource example, up to three groups for each object would be required to 
implement the system. 

Note also the use of the Unix UID field. In Unix this field is used to denote 
the owner of the file, and this owner has the right to change the permissions 
on the file. In the medical context the permissions on most files should only 
be modifiable by the resource manager with fewer files being modifiable by the 
creator. This is indicated in the table with the appropriate UID. 

Suppose the model was implemented on a traditional Unix system with only 
one group. In this case the others field must be used which gives more access 
than was originally intended. 

4.4 Implementation of Non- discretionary Access Control 

As stated previously, non-discretionary access control is required for the orga- 
nizational files. This entails: 

— That the owner of the file be set to the resource manager’s UID (so that 
only the resource manager can modify the permissions) . 

— That the permissions on the files be set to those required by the resource 
manager (similar to Table 0) . 
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The scheme was implemented by modifying the NFS Server functions for 
creating files and directories. For each of the different resource types the system 
enforces that the files are created in particular directories (for example the daily 
logs in the directory for daily logs). Inside this directory is a hidden file, created 
by the resource manager, that has an entry indicating the permissions for files 
in that directory. 

For example, taking the case of the daily log, a directory /usr/ daily has a file 
.rhac with the following entry: nurse (rw) , others (r). When a file is created in a 
directory, or a subdirectory is created, the NFS Server must check for the .rhac 
file, and if it exists ensure it is valid. There are two checks required to validate 
the .rhac file: 

— The owner of the .rhac file must be the same as the owner of the directory 
it is in. 

— The owner must be a member of any groups specified by the entries in the 
.rhac file. For example, if the .rhac file has an entry nurse (rw), then the 
owner of the .rhac file must be a member of the nurse group. 

If either of these conditions are not satisfied then the create does not occur 
and an error is returned. There is one exception to this, if the user creating the 
file or directory is the same as the owner of the directory {resource manager) 
then the create will always occur. If the .rhac file exists and it is valid, then the 
NFS Server creates a file as follows: 

— The UID of the file is set to the same as the .rhac file in the directory (the 
resource manager’s UID). 

— The GID and others fields is set as specified in the .rhac file. 

For creating directories, the same scheme applies. The .rhac file from the 
parent directory is copied into the sub-directory with the same permissions. The 
system also supports personal files. If the .rhac file does not exist the NFS Server 
create functions behave exactly as for the traditional Unix system. 



4.5 Implementation of Role Constraints 

The important role constraint for the medical role model is separation of duties. 
Implementation of role constraints can occur at two different levels: 

— The user manager can ensure that users are never given access to mutually 
exclusive roles. 

— The resource manager can ensure that permissions on resources never diso- 
bey the constraints. 

The integrity of the system therefore depends on the user manager and re- 
source manager. This can be achieved by user level tools that automate the 
process. 
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4.6 Implementation of Role Affiliation 

Role affiliation is a constraint applied to the role. For example in the medical 
system, a nurse can only access the daily log of wards the nurse is currently 
working in. Affiliations can be due to a number of reasons, for example location 
of access and time. Parker and Sundt m, and Hilchenbach m believe that 
roles and affiliations should be considered separately, and both active roles and 
affiliations should be used to determine what access is given. 

An alternative implementation to separation of role and affiliation is to in- 
crease the number of roles to cover all possible affiliations. This is the scheme 
implemented with SESAME NFS. 

4.7 Performance 

Obviously it is an important objective to have similar performance with RBAC 
NFS as with traditional NFS. The overhead for the complete system is shown 
in Table 0] The timing is for two 200MHz 64M RAM Pentiums on a LAN. 



Table 4. Overhead to Traditional NFS 



Test Scenario 


Overhead 


1 


First Access by the user to the NFS Server 
(Handshake including PAC transferred) 


235 ms 


2 


Subsequent Access 

(GID is looked up in a UID/GID cache) 


8 fis 


3 


Create File 

(.rbac file does not exist) 


1.2 ms 


4 


Create File 

(.rbac file does exist and is valid) 


7.3 ms 


5 


Create Directory 
(.rbac file does not exist) 


2.7 ms 


6 


Create Directory 

(.rbac file does exist and is valid) 


9.9 ms 



5 Conclusions 

A comprehensive security mechanism for NFS has been developed based on SE- 
SAME. This includes strong authentication of users and NFS servers, security 
for all NFS file accesses, and an access control system based on RBAC. Imple- 
mentation of the authentication and file access security was relatively straight 
forward (although modifying a Unix kernel is always a challenge) and work well. 
The RBAC system was implemented using Unix groups, by modifying the NFS 
Server to translate roles into groups and implement non-discretionary access 
control of files. Although this system is a workable RBAC file system, the single 
group Unix permissions and the need for non-discretionary behaviour results in 
the system having a number of constraints. 
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A Network File System 

Figure 0shows how NFS works from an implementation point of view. The Linux 
kernel V 2.1 was used for the implementation, and this version includes the NFS 
Client inside the kernel, and the NFS Server outside of the kernel (as shown on 
the Figure). In other operating systems the NFS Server may be inside the kernel. 
The diagram also shows Client operations that occur on the left hand side of the 
figure, and Server operations that occur on the right hand side of the figure. 




NFS Client NFS Server 



Fig. 3. The Internal Operation of NFS 



The NFS process has two main phases. The first phase is the NFS Client 
mounting the NFS Server’s file system (note the numbers relate to Figure EJ: 

1. A privileged user on the NFS Client (for example the root user on Linux) 
performs the mount operation. The privileged user is actually requesting an 
NFS file handle from the NFS Server. The mount program exists outside the 
kernel. 

2. The mount program contacts the mount daemon on the NFS Server called 
mountd requesting the NFS file handle. Note that both mount and mountd 
use the RPC/XDR user level library for their transport mechanism, mountd 
also exists outside the kernel. 
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3. mountd then sends a request to the NFS Server Virtual File System (VFS) 
to return a NFS file handle. 

4. The VFS returns a NFS file handle to mountd if the request was valid. 

5. mountd returns the NFS file handle response back to the NFS Client’s mount 
program. 

6. The mount program then passes the NFS file handle to the kernel level 
NFS Client program that stores it for future use. Note also that the mount 
program can optionally pass the authentication flavor flag to the kernel level 
NFS Client program. If the flavor is the AUTH_SYS then no flag is required 
(the NFS Client program assumes AUTH_SYS as the default), if it is any 
other flavor, then the appropriate flag must be passed. 

7. The mount program indicates to the privileged user if the mount operation 
was successful. 

The second phase is a user (either privileged or non-privileged) on the NFS 
Client requesting to perform a file system operation (again the numbers relate 
to Figure 0 ): 

8. A user on the NFS Client makes a request to the VFS to perform an operation 
on a mounted file system. 

9. The VFS determines the request is for a remote file system and forwards the 
request to the kernel level NFS Client program for transmission across the 
network. Note that the NFS Client program uses a kernel level RPC/XDR 
library. 

10. The NFS Client program forwards the request to the NFS Server daemon 
called nfsd. nfsd lives outside the kernel and uses a user level RPC/XDR 
library for its network transport. 

11. nfsd forwards the request to the NFS Server’s VFS that accesses its local file 
system (not shown on the diagram). 

12. The NFS Server’s VFS returns the result to nfsd. 

13. nfsd returns the result back to the NFS Client program. 

14. The NFS Client program returns the result to the NFS Client VFS. 

15. Finally the result is returned to the user. 

All of the second phase occurs transparently to the user. As far as the user 
is concerned it appears a file on a local file system is being accessed. When the 
NFS client no longer wants to access the NFS Server, the privileged user uses 
the umount program that un-mounts the file system (not shown on the figure). 
After un-mounting, users can no longer access the file system. 



B SESAME 

SESAME m is the name of a security architecture. It is the result of a collabo- 
ration of Bull, ICL and Siemens together with some leading European research 
groups P. The project was partly funded by the European Commission un- 
der the auspices of its RACE program. SESAME is an acronym for “A Secure 
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European System for Applieations in a Multi-vendor Environment” . Figure 0gi- 
ves an overview of the SESAME architecture. At first glance it might look very 
complex but it is possible to distinguish four boundaries in the architecture: 
the client, the domain security server, the (application) server, and the support 
components. 



Domain Security Server Support 




Fig. 4. The SESAME components 



The client system incorporates the User, User Sponsor (US), Authentication 
Privilege Attribute (APA) Client, Secure Association Context Manager (SACM) 
and client application code. The User Sponsor gives the user the interface to the 
SESAME system, and allows the user to logon. The APA is used by the User 
Sponsor for the communication with the domain security server. The SACM 
provides the data protection services (data authentication, data confidentiality, 
non-repudiation) for the client-server interaction. 

The Domain Security Server is very similar to Kerberos m- The main diffe- 
rence is the presence of the Privilege Attribute Server (PAS) in SESAME. This 
server has been added to manage the access control mechanism that is implemen- 
ted by SESAME. Because role based access control has many advantages over 
traditional access control schemes, SESAME has chosen to adopt it. The scheme 
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is enforced using Privilege Attribute Certificates (PACs) 0. The function of the 
Authentication Server (AS) and Key Distribution Server (KDS) (ticket granting 
server in Kerberos) are similar to their Kerberos counterparts: providing a single 
sign-on and managing the cryptographic keys. A major difference with Kerberos 
is that SESAME also supports public-key based authentication using the X.509 
authentication mechanism m- 

When the application server receives a message from an application client 
indicating that it wants to set up a secure connection, it forwards the client’s 
credentials and keying material (an encrypted session key) to the PAC Validation 
Facility (PVF), which checks whether the client has access to the application. 
If this check is successful, it decrypts the keying material and forwards the 
session keys (SESAME uses independent keys for providing data authentication 
and data confidentiality) to the SACM on the server machine. Through this the 
application server authenticates to the client (mutual authentication) and it also 
enables the application server to secure the communication with the client. 

The SESAME architecture provides a number of support components used 
throughout the system. These include the Audit facility (providing detailed audit 
logs). Cryptographic Support Facility (CSF) (providing the various cryptogra- 
phic primitives). Public Key Management (PKM) facility and a Certification 
Authority (CA). 

A detailed description of SESAME can be found in 0. 
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Abstract. A group signature scheme allows members of a possibly large 
group to sign messages anonymously on behalf of the group. Only a 
designated entity can determine the identity of the group member who issued 
a given signature. Group signatures, and particularly group blind signatures 
[28, 35] (which incorporate the properties of both blind signatures and group 
signatures), have many applications such as e-commerce. 

In this paper, we first propose a new group signature scheme, suitable for 
large groups (i.e., the group’s public key and the signatures are fixed-size 
regardless of the number of memberships). Furthermore, we show how to use 
our group signature scheme to construct a practical privacy-protecting off-line 
electronic cash system. Our group signature scheme is more efficient than 
previous ones and the resulting electronic cash system is characterized by a 
high computational efficiency in the withdrawal protocoQ 
Then, we show some weaknesses in the design of an electronic cash system 
based on a group signature scheme [28, 35fl Finally, we describe some 
weaknesses of recently proposed group signature schemes [1,2, 10, 28]. 



1 Introduction 

1.1 Group Signatures 

At Eurocrypt’91, Chaum and Van Heijst introduced the concept of group signature 
schemes. Such a scheme allows any member, of a possibly large group, to sign 
messages on behalf of the group. Group signatures, like ordinary ones, are publicly 
verifiable and can be verified with respect to a single group public key. 

Group signatures have the additional property of being anonymous. However, only a 
designated entity can (if needed) revoke the anonymity of a group signature and 
consequently find out the identity of the originator of a given signature. 

In [17], Chaum and Van Heijst proposed four realizations of group signature schemes. 
Various improvements of their schemes were later proposed [7, 18, 34]. 



* Such protocol involves a bank and a customer. The bank is the processing and 
communications bottleneck in such payment systems. Therefore, it is important to minimize 
bank’s workload when it is involved. 

^ Our cash system avoids the weaknesses found in the (group signature based) anonymous 
payment system described in [28] . 

J. Pieprzyk, R. Safavi-Naini, and J. Sebeny (Eds.): ACISP'99, LNCS 1587, pp. 228-243, 1999. 
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The drawback of these solutions [7, 18, 34] is that the length of the signatures and/or 
the size of the group’s public key depend on the size of the group. This limits the 
applicability of such schemes to only small groups. 

Recently, Camenisch and Stadler have presented new group signature schemes which 
remain practical even for large groups. In their schemes, the group’s public key and 
the signatures are fixed-size regardless of the number of memberships. 

Recent improvements, in terms of efficiency and security, have been made on group 
signature schemes (suitable for large groups) by Camenisch and Stadler [10], 
Camenisch and Michels [8] and by Ateniese and Tsudik [1,2]. 

1.2 Blind Signatures and Privacy-Protecting Electronic Payment Systems 

The concept of blind signature schemes was introduced by Chaum in 1982 [13]. A 
blind signature scheme is a cryptographic protocol involving two entities: a sender 
and a signer. This protocol allows the sender to choose a message and obtain a digital 
signature of this message from the signer, in such a way, that the signer learns nothing 
about the content of the message that he has signed. Moreover, if the signer later sees 
a message he has signed, he won’t be able to determine when or for whom he signed 
it. 

Blind signature schemes can be used in applications where anonymity is required, 
such as anonymous prepaid electronic payment systems. 

Recent anonymous prepaid electronic payment systems, based on the blind signature 
technique, ‘emulate’ physical cash. In these systems, the users withdraw electronic 
coins which consist of numbers, generated by users, and blindly signed by an 
electronic money issuer (a bank). Each signature represents a given amount. These 
coins are then spent (released) in shops which can authenticate them by using the 
public signature key of the bank. The users retain anonymity in any transaction since 
the coins they use have been blindly signed. 

1.3 Group Blind Signatures 

At Financial Cryptography’98, Lysyanskaya and Ramzan introduced the concept of 
group blind signature schemes and proposed the first realizations of such schemes. 
Group blind signatures incorporate the properties of both blind signatures and group 
signatures. They can be used in many of the settings where blind signatures are used. 
Particularly, they can be used to design privacy-protecting electronic payment 
systems. As an application, Lysyanskaya and Ramzan showed how to use their new 
schemes to achieve a (off-line) payment system in which ‘multiple^ banks can 
securely dispense ‘anonymous’ and ‘untraceable’ electronic casl0 In this system no 
one, except the designated entity (e.g., the country’s Central Bank), can identify the 
bank who issued a given coin (thus providing users with an extra layer of anonymity). 



' Previous realizations of electronic cash systems focused on models in which a single bank 
issues all the electronic coins. 

^ In this system all the banks form a group and the designated entity is the country’s central 
bank. 
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Our results: In this paper, we first propose a new group signature scheme, suitable 
for large groups (i.e., the group’s public key and the signatures are fixed-size 
regardless of the number of memberships). Furthermore, we show howQa use it to 
construct a practical privacy-protecting off-line electronic cash system. 

Our group signature scheme is more efficient than previous ones [7, 10, 9]' (and relies 
on different security assumptions than these previous schemes). Moreover, our 
electronic cash system is characterized by a high computational efficiency in the 
withdrawal protocol. Then, we show some weaknesses in the design of an electronic 
cash system based on a group signature scheme [28, 35]. Finally, we describe some 
weaknesses of recently proposed group signature schemes [1,2, 10, 28]. 

Organization of the paper: In section 2, we define the notations we use in this paper 
and introduce the assumptions on which the security of our schemes relies. Then, we 
present the non-interactive proofs of knowledge that will be useful in the sequel. In 
section 3, we describe our new group signature scheme and the resulting electronic 
cash system. In appendix A, we examine the security of this cash system. In 
appendices B and C, we describe some weaknesses of recently proposed group 
signature schemes. 

2 Notations, Assumptions, and Basic Tools 

The security of our scheme is based on assumptions relating to the difficulty in 
solving certain problems. In this section, we define these assumptions, explain our 
notations and introduce the background of the key techniques that will be useful in the 
sequel. 

2.1 Notations 

Throughout the paper we will use the following notations; 

The symbol II will denote the concatenation of two strings. The symbol £ will denote 
the empty string. The notation ‘ x " means that x is chosen uniformly at random 

from the set E. The notation ‘ x=y\ used in a protocol, means that the party must 
check whether x is equal to y. 

N will denote the following set: N = [n | n= pq, p<q, p = 2p’+l, q = 2q’ + 1 where p, 
q, p’, q’ are all prime numbers and p ’ and q ’ are of equal length ] . 

For an integer N, denotes the residue class ring modulo N and Z], denotes the 
multiplicative group of invertible elements in Zj^. 

For an element a eZ'^ , we denote by ord{ a ) the order of a in Z* . The subgroup 
generated by an element a e Z^ is denoted by (or) . For two integers a and b, we 

def 

denote by [fl, h] the following set: [a, 7>] = [a,a+l, ,b-l,b). 

H will denote a one-way hash function that maps {O, l} to Z^j (where k denotes a 
security parameter). Other notations and definitions will be set as needed. 



* Our group signature scheme is slightly more efficient than [9]. 
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2.2 Number Theoretic Preliminaries and Assumptions 

Let G be a cyclic group of order n and g and h two distinct generators of this group 
(in our protocol, n will designate an RSA modulus of unknown factorization). The 
discrete logarithm of y eG to the base g is the smallest positive integer x satisfying 

g' = y . A representation of y eG to the bases g and /t is a pair (a,b) satisfying 
y = g"h‘' (see [4] for a discussion of the representation problem). In the sequel, the 
parameters n, G and g should be chosen such that computing discrete logarithms in G 
to the base g is computationally infeasible. 

Let us now introduce two lemmas that will be useful in the construction of our cash 
system (these lemmas have been introduced in [22]). 

Lemma 1. Let N = PQ, where P<Q, P = 2P’+\, Q = 2Q'+\ and P, Q, P\ Q’ are all 
prime numbers (i.e., N e N). The order of elements in is one of the set [1, 2, P’, 
Q\ 2P\ 2Q\ P’Q\ 2P’Q’}. Given an element aGZ^\{— 1, l}, such that 
ord{ a) < P’Q’ then gcd( a - 1 , AO is a prime factor of N. 

Following [22], we will assume in our protocol, as a consequence of the above 
lemma, that any value (different from 1 or - 1 ) found by a party that does not know the 
factorization of N must be of order at least P’Q’ in . 

Lemma 2. Let N be as in lemma 1. Given an element a such that 
ord( a ) e {P’Q’, 2P’Q’j then for every me it holds that e (a) . 

Note: The proofs of these lemmas do not appear in [22] (they appear in an extended 
version of this paper [23]). Lemma 2 is true but incomplete. Indeed, it is possible to 
prove ’more’ than what is claimed in Lemma 2: in fact, we can prove that e (or) 
(the proof of this ’new’ lemma will appear in the full paper). 

The following assumption is needed for the proof of soundness of one of our 
underlying building blocks. 

Assumption 1 (Modified RSA Assumption [21]) 

Given as inputs an element N e N (of unknown factorization) and Y eZ'^ (such 
that Y is not a power in Z), it is hard to find X and e {e >2) such that 
Y = X” (mod N) . (see [21] for a general and formal definition of this assumption). 
The security of our electronic cash system also relies on the following two 
assumptions: 

Assumption 2 (Decision Diffie-Hellman Assumptiorl^ 

Let N e N. Let or be a quadratic residue modulo N that has a large order in Z* . Let 
G= (or). Given as input a triplet T = (or“, a'’ , a") in G% it is hard to decide 
whether T is a Diffie-Hellman triplet (that is T = (or° , or'’ , or”'’ ) ) or a random triplet, 
(see [3] for a general and formal definition of this assumption and also for a 

' or perfect-Decision Diffie-Hellman assumption using the terminology of [3]. The 
perfect-Decision Diffie-Hellman assumption is, in some groups, equivalent to the Decision 
Diffie-Hellman assumption (not perfect). 
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discussion of the Decision Diffie-Hellman assumption in groups in which only an 
upper bound on size of the group is given). 

Assumption 3 (Computation of approximate e-th roots modulo a composite number) 
Let e be an integer (e > 4 ). Given as inputs an element A g N (of unknown 
factorization) and a (suitably chosen jil element C 6 , it is hard to find two integers 

X and 5 such that: X‘ = C+ J(mod N) and 5 g [a,£>] (where a and b are two 

integers satisfying: 0 <a <b < ). 

Note: The security of the Okamoto-Shiraishi signature scheme [33] is based on the 
same assumption (i.e., on the assumption that computing approximate e-th roots 
modulo a composite number is hard when the factorization of this number is 
unknown). In their scheme, the composite number N is equal to p^q, where p and q 
are two distinct primes. N is the public key and the factorization of N constitutes the 

secret key. A signature s (with s not too small) is considered as valid for a message m 

2 

if : h(m) < s‘ (mod A) < /i(m)+ O(N^) (where h is a given one-way hash function). 
This scheme has been broken when the exponent e is equal to 2 or 3 [6, 26, 39]. But, 
till now, no attack is known against higher degree versions of the Okamoto-Shiraishi 
scheme, and when the exponent e is superior or equal to 4, the Okamoto-Shiraishi 
scheme is considered as robust. 

Other assumptions will be set as needed. 

2.3 Building Blocks: Proofs of Knowledge 

In this section, we describe the building blocks necessary for the design of our group 
signature scheme (and also for the resulting off-line electronic cash system). 

These building blocks are signature schemes derived from ’zero-knowledge’ proofs of 
knowledge using the Fiat-Shamir heuristic [20] . 

The first building block is a proof of knowledge of a representation. As proof of 
knowledge of a representation we are inspired by a proof given by T. Okamoto [31]. 
Proof of Knowledge of a Representation. Let G be a cyclic group of order n and gi 
and g 2 be two distinct generators of this group (in our protocol, n will designate an 
RSA modulus of unknown factorization). 

Definition 1 (ProofnEp) A (message-dependent) proof of knowledge of a 
representation of h with respect to (gi>g 2 ) ^ tuple 

(c,r,,r^) =Proof^^p(M,gj,g^,h) , where c = H(M II g, II g^ II h II g[' g!y N ). Since the 
proof involves the message M, it is called message-dependent. This message may be 
the empty string e . 

The prover who knows the representation [x^,x.^') of h with respect to (g, .gj) 
construct such a proof. For this purpose, he chooses two random numbers 
{^a^,a^& ifZf and computes c = A(M II g, II g^ II II g°‘ gf). Then, he computes 
r =a. —c X. mod n for 1 < i < 2 . To verify such a proof, the verifier checks whether 
c is equal to H(M II g, II gj II h II g[' g’" h" ). 

' See [27] for example. 



Group Signatures 233 



Note: According to the definition of [19], Proof/;£p is not a proof of knowledge. 
However, it is assumed that this proof does not leak any information about the 
representation that the prover knows. 

The second building block is used to prove that the discrete logarithm of an element is 
equal to the second coordinate of a representation. 

Proof of Equality of Discrete Coordinates. This proof is related to the proof of 
equality of two discrete logarithms described in [16]. Let G be a cyclic group of order 
n and g, gi and g 2 be three distinct generators of this group (in our protocol, n will 
designate an RSA modulus of unknown factorization). 

Definition 2 (Proof rep+logeq) A (message-dependent) proof of knowledge of a 
representation of hi with respect to (gi.gj) > which also proves that the exponent of 
in this representation is equal to log^h is a tuple 

(c, r, , rj (M, g^, g^,h^, g,h) , where c = H(M II g, II g, II hi II g II 

h II g[' g'^ h^° II g"‘ ¥ ). As before, M is a (possibly empty) message associated to the 
proof. The prover who knows ElNBETTENEINBETTENthe representation 
of hi with respect to (g[,g 2 ) and log^ /j =x, , can construct such a proof. For this 
purpose, he chooses two random numbers and computes 

c = E[(M II g, II gj II hi II g II h II g“‘ g“" II g°‘ ). Then he computes r = a,, -c x. mod n 
for 1 < i < 2 . The verifier of this proof checks whether c is equal to 
H(Mllg,llg2ll/;i llgll h\\g[^ g- h;ilg^' ¥). 

The following building block is used to prove the knowledge of the e-th root of the 
first coordinate of a representation. 

Proof of Knowledge of Roots of Representations. Let G be a cyclic group of order 
n and gi and g 2 be two distinct generators of this group (in our protocol, n will 
designate an RSA modulus of unknown factorization). 

Definition 3 (Proof rep+root) Proof ,e, g„ g^,h) denotes a (message- 
dependent) proof of knowledge of the e-th root of the g, -part of a representation of h 
with respect to (g[,g 2 ) ■ 

For this proof, we adopt a proof of knowledge presented by Camenisch and Stadler in 

[10]. 

Proof that a Secret Lies in a Predetermined Interval. The following building block 
is used to prove that a secret lies in a predetermined interval. Our building block is 
related to the Range Bounded Commitment protocol (RBC for short) of Chan et 
al. [11 and also 37]. It is also related to a protocol given by Camenisch and Michels 
[ 8 ]. 

Note: The RBC protocol is not secure. More precisely, this protocol does not prove 
that a secret lies in a predetermined range (counter-examples are easy to find). We 
have informed the authors of this fact. They were aware of this mistake [38]. An 
updated version of [11] , with a new RBC, is available at [12]. Our building block is 
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related to this new version of the RBC. 

Let us now define our building block (we freely borrow the notations of the similar 
building block described in [8]). 

Let G be a cyclic group of order n and g, gi and g 2 be three distinct generators of this 
group (in our protocol, n will designate an RSA modulus of unknown factorization). 
Let N be an element of N of unknown factorization. Let a be a quadratic residue 
modulo N that has a large order in . Let denotes the bit-length of N. Let £ >1 be 
a security parameter and let li and I 2 denotes lengths. Let // be a one-way hash 
function that maps { 0 , 1 } to (where k denotes a security parameter). 

Definition 4 {Proof log+range) A (message-dependent) proof of knowledge of the 
discrete logarithm of h with respect to g and of S with respect to a , which also 
proves that log^ h = log^ S and that log^ h is in lextended = [ 2'‘ - , 2'‘ + ], 

is a pair (c, r) =Proof , g, h, a, S, e, k) , where: 

c = H{M II g II /! II a II (5 II (5" ) and r is in [- (2‘ - 1)(2'^ - 1) , 2'^''^"‘' ]. 

Such a proof can be obtained, if the prover knows an element x in / = [ 2'' , 2' + 2'" -1] 
such that h= g’‘ and S=a’‘ holds. 

To construct the proof, the prover chooses a g ^ {O, l} ***" *** and computes 
c = H(M II g II /i II a II (5 II g° II a“ ) and r = a — c {x — 2'' ) (in Z). To verify such a proof, 
the verifier checks whether: 

- c is equal to H{M II g II /z II a II (5 II g'-‘^" /j' II ) 

- /-isin[-(2‘ -1)(2'^ -1),2'*'^"‘>]. 

We assume that n <N and that fxiended cz [l,n - 1] . 

Lemma 3: If Assumption 1 holds and e>\ then the interactive protocol underlying 
ProofioG+RANGE IS a statistical honest-verifier zero-knowledge proof of knowledge of 
an integer x in [ 2'‘ - , 2'‘ + 2'*'^**’*‘ ] such that h= g’‘ and S=a\ 

Proof. See [21] and also [8] for the proof of soundness. See [8, 36] for the proof that 
the protocol is statistical honest-verifier zero-knowledge for any e>\. 

Definition 5 (Proof rep+range) A (message-dependent) proof of knowledge of a 
representation of hi with respect to (g,,g 2 ) , which also proves that the exponent of 

gi in this representation is in [2'' 2'‘ + 2 ‘'*' 2 +**+' ] and is equal to log^ S is 

denoted by Proof (M , g„ g„h„ a, S,l„l„l^,s,k) . 

This building block is an easy variant of the previous building block. 
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3 The Proposed Group Signature Scheme and the Resulting 
Anonymous Offline Electronic Cash System 

Due to space limitations, we will not (in this section) describe in detail our group 
signature scheme. Rather, we will present a practical electronic cash system based on 
our group signature scheme. 

In this section, we show how to use the basic tools described in the previous sections, 
to construct a practical off-line electronic cash system satisfying various requirements 
concerning privacy and security. 

Usually, the desired properties for an electronic cash system are the following: 

• Security: coins must be unforgeable and it must be impossible to use the same coin 
twice without being identified. 

• Privacy: The purchases must be untraceable and it must be impossible for anyone 
to determine whether two payments were made by the same user. 

In the simplified model of off-line electronic cash system that we use, three types of 
parties are involved: the customers (or ‘users’), the shops and a bank. Three possible 
transactions may occur between them: the withdrawal (by a user from the bank), the 
payment (by a user to a shop), and the deposit (by a shop to the bank). In the 
withdrawal protocol, the user withdraws electronic coins from the bank while his 
account is being debited. In the payment protocol the user pays the shop with the 
coins he has withdrawn. In the deposit protocol, the shop deposits the coins it has 
received in the bank and the shop’s account is credited. 

In our system, the users form a group. A trusted authority acts as the manager of this 
group. We will call this trusted authority GR (for group manager). The role of GR is 
to fill, only once, each user’s device (not necessarily tamper-resistant) with a special 
string. The only constraint is that GR is trusted to produce only one such string per 
user. We will call such string a licenseP (or membership certificate using the 
terminology of [1, 2]). 

Our scheme is an anonymous payment system, however the customers' anonymity 
may be revoked by a proper trusted authority. We will call this trusted authority the 
revocation manager {RM in short). The customers' anonymity can be revoked in the 
following way: 

• owner tracing: the bank provides the trusted authority with data of a (suspect) 
payment (in fact the deposit) and asks for the identity of the customer who has 
withdrawn the money used in this (suspect) payment. 

3.1 The Set-Up of the System 

For the sake of simplicity, we assume that there is only one coin denomination in the 
system (extension to multiple denominations is easy). 

The Group Manager. The group manager computes the following values: 

- an element ? 1 G N. For this purpose, GR selects random primes p, q, p’ and q’ 
ip < q), such that p = 2p’+l, q = 2q’+ 1 (where p’and q’ are of equal length). 



' This concept was first introduced in [32] . 
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- GR computes n = pq. Let denotes the bit-length of n. 

- a public exponent e > 4 such that e is relatively prime to q>(n) . 

- a prime number P such that n divides P- iQ 

- g an element of of order n. Let G = (g) . 

- an element heG whose discrete logarithm to the base g must not be known. 

- a (suitably chosen)0element C g Z,' . 

- N another element of N. (N = Pi Qi, where Pi < Qi, Pi = 2P’+1, Qi = 2Q’+1 and 

Qu P\ and Q’ are all prime numbers). Let denotes the bit-length of N. 

- an element g Z^ of large multiplicative order modulo both primes factors of N. 

- such that a = /i^(modN) . (Note that or is a quadratic residue modulo 

TV). 

- three constants Ij, I 2 and £>1. (These parameters are required for the proofs of 
knowledge Proof log+range and ProofREP+RAmE)- 

Then, GR publishes the group’s public key P group'- 
• P group = in, e, g, h, C, In,S, f, N, P, a ). 

Finally, GR publishes a one-way hash function PI that maps {O, l} to Z^j (where k is 

an appropriate security parameter). An example of choosing the parameters k, f, I 2 , 
£ , /„ and In is given in appendix A. 

In practice, components of Pgroup must be verifiable to prevent framing attacks. For 
instance, to verify that P has large order in Z^ , it is enough to test whether pp-\ 
and 1 and that gcd (y0 - 1, n) = 1 (Lemma 1). This proves that P has order at least 
P’Q’. Consequently, a which is equal to p^ (mod N) has order P’Q’. GR also needs 
to provide a proof that N belongs to N (i.e., N = Pi Qi, where Pi < Qi, Pi = 2P’-\-\, 
Qi = 2Q’-¥\ and Pi, Qi, P\ and Q’ are all prime numbers). See [24] or [22] for 
efficient methods providing this kind of proof. 

The Revocation Manager 

1 . RM chooses a secret value g Z[ . 

2. publishes = h’‘" (mod P). 

The Bank 

1 . The bank B chooses an RSA modulus , a public exponent and the 

corresponding RSA private key (i.e., = 1 mod (p(N ). 

2. B publishes and N ^ . 



' One way to achieve this is first to generate n and then find by exhaustive search P = co-n+l 
(where CO is an integer) as small as possible. In [40], it is argued that given a random n, P 
can be expected to be less than n ■ log j n ). 

^ See [27] for example. 
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Finally, B publishes two one-way hash functions Hi and H 2 . 

Hi. { 0 , 1 }‘ ^ and// 2 : { 0 ,l}‘ ^ Z,. 

Beforehand, every user must obtain a license (membership certificate) from GR. 

3.2 Obtaining a License 

The first step in our system is obtaining a license from GR. A license in our scheme 
consists of a pair of integers (X, S) satisfying: 

X' =C-l-^(mod«)and S e I =[2'' ,2'' +2'^ -1], (1) 

To obtain his license, each user {/, must perform the following protocol with GR. 

1 . Ui randomly selects an element x. in / =[ 2 '' , 2 '‘ -f 2 '^ - 1 ] and computes 
ID^ = (mod P) and id^ = a’‘‘ (mod N) . (x. can be jointly determined by [/, 
and GR). 

2. Then, 17, must prove to GR that he knows log^ 7D„ and that this value is in 

I extended (sce definition 4). For this purpose, 17, generates 

U = Proof {e,g, ID^ , a, Then, he computes 

3 , = (mod P) . 

3. Next, Ui chooses re^Z^ and computes z= r‘ (C + x.) mod n . He then chooses 

ae Zl and computes A = g^h“ =y' h“ . Ui then generates 

V = Proof (e,e,y,h,A) . 

4. Ui then sends y, z, U and V to GR. 

GR verifies these proofs and if the verifications are successful sends to 17,: 

1 / 1 / 

• z = (modn) = r (C-l-X;)^' (modn). 

17, computes X = y, = {C + x.)^‘ mod n . 

(X,x.) is the license of Ui. 

Note: this license has been issued in a blind manner (using the blind RSA-signature 
scheme of Chaum [14]). Consequently, at the end of the protocol, GR does not know 
(X,x,). 

GR creates a new entry in the group database and stores ID^ and id^^ (17,’s account 
number) in the new entry. 

Remark: If there exists t users in the system, then GR must issue t distinct solutions of 
the particular equation (1). So, let us introduce another assumption. 

The security of our scheme relies on the following assumption: given one or more 
licenses, it is hard to compute a new license without the help of the group manager. 

This assumption does not hold when f > If ([25, 29, 30]). An example of choosing 
the parameters f is given in appendix A. (Our choice is based on the 
recommendations given in [29, 30]). 
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3.3 The Withdrawal Protocol 

Each user that has an account and a license can ask for coins from the bank. Below we 
will describe the two move protocol that allows a user [/, to withdraw a coin C$. 
Before the user and the bank begin the protocol, [/, must authenticate itself to the 
bank, so that B is sure that [/, is the owner of the corresponding account. 

This can be done by any (fast) standard authentication protocol. If the authentication 
is successful, then [/, sends a blind string s to the bank and the bank returns an 
RSA-signature on Then C/, extracts the blind factor and obtains a coin C$ of the 
form (x, S{x)) (where S{x) is the bank’s signature on x). If smart cards are used, the 
elements necessary to produce the string s can be computed in a preprocessing mode 
during the idle time of the processor and not necessarily during the withdrawal. For 
this reason, the withdrawal protocol is very practical. 

Let (X,x.) be the license of {/,. ( A' = C+ X, (mod «)). 

More formally, [/, performs the following protocol with B. 

1. Ui chooses (a,b,z) e ^ Z*^ and r g ^ Z*^ . He then computes: 

- A=g’'h^ (mod P) 

- ot = hi (mod P) 

- D=g“h‘’ (mod P) 

- E = hi (mod P) . Let M be the following message: M = A II ot II D II E. 

- s=r’“H^(M) mod Nb- 
Ui sends s to B. 

2. B computes s‘‘‘ mod Nb and sends this value to {/,. 

U" 

17, computes mod Nb= mod Ag. = (M, mod A^) . 

r 

Note: the message M = A II ot II D II £ (disclosed during the payment protocol) is 
intended to both assure owner-tracing (thanks to the ‘ownertrace’ ot = (mod P) ) 
and prevent future double-spending of the coin (thanks to D= g“h‘' (mod P) and 
E = hi (mod P) ). 

3.4 The Payment Protocol 

The user Ui wants to spend the coin C$ in the shop S. We assume that the shop S is 
known under Id^ (its account number for example), and define ‘t’ to be the payment 
(date and) time. Let msg = ( Id^ II t). 

Payment consists of two stages: coin authentication and proof phase. During the coin 
authentication phase, the shop verifies that the coin C$ bears the bank’s signature. In 
the proof phase, the user tries to convince the shop that his license is ‘embedded’ in 
his coin. 

Let us describe the proof phase: 

1. Ui computes F = A- g'^ = g‘‘*'^h' = g’‘ (mod P) . 

' Any other blind signature scheme can be used. 
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He then generates U = Proof , e, g, h, F) . 

Let me gZl (for example m= H^(msg\\M) ) and S=m^ modA^ . We know that 
S e {oc) (Lemma 2 improved). 

Ui computes T = S’'‘ mod N and generates V = 

Proofgi,p_i_^^^^i;(£,g,h,A,S,T,lj,f,l^,£,k). (this proof will convince the shop 
that the g-part of the representation of A with respect to (g, h) is in Extended (see 
definition 4)). 

Finally, [/, uses the commitments D and E to generate : 

Proof (ot) = Proof {msg, h, g. A, , of) (for owner tracing). More precisely, 

Proof (ot) = (c,r,,r^), where: c = //(m^g II /t II g II A II II ot II D II £), 

fj = b- c z mod n and r^ = a - c x. mod n , with (a, b) from the withdrawal 

(section 3.3). C/, sends Q, U, V and Proof (ot) to the shop. 

2. S verifies the hank’s signature and the proofs and, if the verifications hold, accepts 
the payment. 

Note: U and V will convince the shop that a license is ‘embedded’ in C$. 

3.5 The Deposit Protocol 

To be credited with the value of this coin, the shop sends the transcript of the 
execution of the payment protocol to the bank, which verifies, exactly as the shop did, 
that the coin C$ bears the bank's signature and that the other responses are correct. 
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Appendix A: The Security of the Scheme 

Let us analyze, informally speaking, the security of our scheme. (Due to space 
limitations, the description of the tracing mechanisms is omitted). 

Security for B (unforgeability). The security of our cash system is based on the 
security of the RSA signature scheme and on the assumption that computing a valid 
license is infeasible if the factorization of the modulus n is unknown. 

Anonymity. The blind RSA-signature scheme is a perfect blind signature scheme. 
(Consequently, it prevents linking the withdrawal of a coin to the payment made with 
this coin). So, in our system only T = S'"’ mod N could help to establish a link 
between a payment and an account number id^ = a’"' mod N . However, if the 

decision Diffie-Hellman assumption holds, it is hard to establish such a link. 
Moreover, U, V and Proof (ot) leak no information that seem useful to establishing a 
link between a payment and an account number. 

Blacklist (see also Appendix B). Let (X,x) be the license of a multiple spender. 
Then, this license can be put on a blacklist. This blacklist can be sent to the vendors. 
At the time of a payment, the vendor can check whether the customer’s license is on 
the blacklist or not. For this purpose, he must perform the following test (for each x 

in the blacklistl): T = S' mod N (see the payment protocol for the signification of T). 
Systems parameters. We propose to use our system with the following parameters: 
e = 5, e = 4/3,k = 80,f = 325, h = 160, l„ = 800, 1^ = 1200. 

Appendix B: Weaknesses of the Lysyanskaya-Ramzan Trustee Based 
Anonymous Offline Electronic Cash System 

In this section, we describe some weaknesses in the design of the group based 
anonymous offline electronic cash system of Lysyanskaya and Ramzan [28]. 
Borrowing freely from the exposition in [28], we now recall how their cash system 
works. 

In their schemes, all the banks form a group and the designated entity with respect to 
this group is (for example) the country's Central Bank. The users (spenders) in their 
system form a group too. A trusted third party (TTP for short) acts as the designated 
entity of this group. When a user wants to withdraw e-cash from his bank, he first 
creates an electronic coin C. 



' If the licenses ai'e stored in tamper-resistant smart cards, the blacklist will contain only few 
values. 
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His bank applies a group blind signature to C and withdraws the appropriate amount 
from the user’s account. The user can now spent his coin C in a shop. For this 
purpose, he applies the user group signature to C (now, no one, except the TTP can 
determine the identity of the spender). He now gives C, both the bank’s and the user’s 
signature on C to a vendor. The vendor uses the banks’ public key to verify the bank’s 
signature on C. He also checks that the user’s group signature is authentic (by using 
the users’ public key). If the coin is valid, the vendor gives Alice her merchandise, and 
gives the coin to his bank. If there are any conflicts (e.g., the user has double-spent his 
coin), then the TTP can intervene and determine the identity of the user. 

The weakness of this approach comes from not embedding (in a way or another) the 
user’s identity in the coin he withdraws. This leads to the following collusion attack: 
Let Alice and Bob be two (colluding) users. Let Sb be Bob’s private key with respect 
to the users’ public key. Bob can withdraw a coin C and spend it several times in 
different shops. This fraud will be detected, Bob will be identified and (probably) not 
allowed in future to make new withdrawals. But this by no means prevents him from 
giving his private key sb to Alice, who can use Sb to sign coins C she (legitimately) 
withdrew at her bank. ..and spend it as many times as she likes - since the fraud will 
be attributed forever to Bob ! Still worse: even if sb were disclosed and put on a 
blacklist, this would be of no help since there is no way the merchant can detect that 
Sb has been used (group signatures are untraceable and unlinkable). Note that 
collusion is even not required: Bob may be a honest user whose key has been 
compromised or lost (and which is fraudulently used by Alice). So the problem the 
TTP has to solve is to find a method of stopping such a fraud. In section 3, we will 
give a solution to this problem. 

Note: In traditional electronic cash systems [4, 15] (i.e., not based on a group 
signature scheme) such a fraud is not possible. 

Appendix C: Weaknesses of Some Group Signature Schemes 

In this appendix, we describe some weaknesses of recently proposed group signature 
schemes [1, 2, 10, 2Sfl In [1], Ateniese and Tsudik presented an efficient group 
signature scheme. However they do not address the issue of ‘coalition resistance’ (an 
important security requirement for group signature schemes). They have studied this 
problem in the appendix to their original paper [1] and also in a separate paper [2]. In 
this section, we will focus on this issue. The group signature scheme described in [1] 
is clearly not coalition-resistant. So, we will examine their second scheme [2]. 

More precisely, we will show that three colluding members of the group can generate 
a valid membership certificate without the help of the group manager. As a 
consequence, these colluding members can generate valid group signatures which are 
perfectly untraceable (that is, the revocation manager is unable to determine the 
originator of such signatures). 

Let us briefly describe the Ateniese-Tsudik group signature scheme. 

In the setup phase, the group manager (which is also the revocation manager) must 
perform the following operations: he creates an RSA modulus n = pq, p = 2p’+\, q = 
2q’+\ where p,q,p’,q’ are primes (only the group manager knows p, q, p’ and q’). 



* Due to space limitations, we will only describe an attack on [2]. 
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Then, he chooses two elements a, b e Zj of large multiplicative order modulo both 
prime factors of n. Finally, he selects two secret random exponents y, z, and a public 
prime v and computes: F=fl 'and Z = a'. The group public key is: 

T' = (n,v,a,b,Y,Z) . 

If a user M wants to join the group he has to pick certain parameters and engage in a 
protocol with the group manager in order to obtain a membership certificate. 

The user chooses a value x such that 0 < x < v and at the end of the protocol, he will 
obtain a membership certificate (A, B) where: A = a'*"’’ , B = b’‘ ' . x is the private 
key of the user M. (In fact, the value x is jointly chosen by the member and the group 
manager. However, only the member knows x). To sign on behalf of the group 
requires the knowledge of a value x and a corresponding membership certificate 
A = , B = b'"" . 

The coalition resistance of the Ateniese-Tsudik protocol [2] is based on the following 
assumption: given one or more certificates of the form ( A = , B = b ’ ' ), it is 

hard to generate a new membership certificate without the help of the group manager. 
Let Mi, M 2 .M 3 be three colluding members of the group. 

Let (A„ fi,j be the certificate of the member Mi ( i e {l, 2, 3} ). 

So, A. , B. =£»''' , where x, is known by M, and is such that: 0< x, < v . 

Suppose (for the sake of simplicity) that 0< x, < x^ < Xj < v . 

Let X = Xj - Xj + X, . We have 0< x < v . 

Let d = gcd (xi, X 2 , X 3 ). Let y. = x. / d ( i e {1,2,3} ). 

We have: d^ = gcd(x{,x},x{) . So, we can find three integers, a , (5 and S such 
that: a- xl + P' xl+5- x] = . Let C= B“ ■ B^ ■ B^ . This implies that: C = ' . 

Recall that: x=Xj— x^+Xj = y^ ■ d — y, ■ d + y^ ■ d = d-iy^—y^ + yP. So, 
x" =d"- iy, -y,+yp\ Let A = A, ■ A, ■ A;' and B = . 

This implies that: A=a‘"'’' , B =b' " . So (A,B) is a valid membership 
certificate that cannot be traced. Consequently, the proposed scheme is not 
coalition-resistantEl 



' We have informed Ateniese and Tsudik of our attack. They have modified their scheme in 
order to thwart our attack. In their new scheme a membership certificate is of the form: 

A = , S = fc'' , where and y^ are two secret exponents. Unfortunately, this 

new scheme is vulnerable to an attack similar to the one described in Appendix C. 

We point out that a similar attack to the one described in Appendix C also applies to the first 
group signature scheme described in [10], as also observed independently by Ateniese and 
Tsudik [2]. This scheme is also used in [28]. Due to space limitations, we will only describe 
the attack on this scheme [10] in the full paper, in which we will also propose two heuristic 
methods to thwart this attack. 
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Abstract. All known anonymous electronic cash protocols are ineffi- 
cient compared to other electronic payment protocols. This is because 
much of the complexity of the protocols is devoted to ensuring the ano- 
nymity of the consumer. This problem is addressed with an extension 
of Brands’ electronic cash payment protocol using batch cryptography. 
Batch signature generation is used to improve the efficiency of the with- 
drawal process so that multiple coins can be withdrawn for almost the 
cost of only one Brands’ coin withdrawal. As a consequence coins with- 
drawn together can be linked. Batch verification is also used to increase 
the efficiency of payment. We show that the security of the original 
scheme is maintained and the level of privacy provided by the cash 
scheme can be determined by the customer. 



1 Introduction 

For the last few years, anonymous off-line electronic payment has seen growing 
interest from both the research and the business communities. In its simplest 
form electronic payment consists of three remote entities: the merchant, the 
customer and the bank. These entities participate in four secure protocols con- 
ducted over insecure communications channels. During execution of these pro- 
tocols an electronic coin (a series of bits representing commitment to value) is 
transmitted between the three entities. These protocols are called registration, 
withdrawal, payment and deposit. The customer identifies herself to the bank 
in the registration protocol and establishes necessary cryptographic keys. The 
customer obtains an electronic coins from the bank in the withdrawal protocol. 
The customer exchanges electronic coins for goods from the merchant during 
payment. The merchant returns the coins to the bank during deposit. 

An electronic payment scheme is anonymous if the merchant and the bank 
cannot determine the identity of the customer involved in a transaction during 
payment or when the electronic coin is deposited. An electronic payment proto- 
col is off-line if the customer and the merchant conduct the payment protocol 
without the participation of the bank. Brands’ protocol 0 is both anonymous 
(no matter how computationally powerful any of the entities are) and off-line. 
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In addition, it provides single-term coins which can only be spent once before 
being deposited back to the bank. All these properties will be inherited by the 
scheme proposed in this paper, except that the strength of anonymity will be- 
come tuneable in a way that we will specify. 

Despite the similarities between electronic payment and physical payment, 
the number of practical anonymous off-line electronic payment schemes which 
have been implemented for long-term use is surprisingly low. There are still some 
major issues which must be addressed before anonymous electronic payment is 
widely accepted. One of these issues is consumer confidence in the security of 
the transaction and in the privacy of the transaction. Another issue which is 
important is the efficiency of the protocols used both in terms of data transmitted 
and in computation. All proposed schemes expend a large computational effort in 
providing the customer with anonymity from the bank and the merchant. Banks 
do not want to spend a lot of computations achieving a withdrawal especially 
when large numbers of transactions have to be accommodated. Customers and 
merchants do not want to spend a lot of time conducting payments or storing 
large amounts of information as electronic coins. 

We address the issue of efficient electronic payment systems in this paper 
while still maintaining the anonymous and off-line properties. We are particularly 
interested in reducing computation for the bank during withdrawal, since the 
bank is the ‘central server’ that will have the highest computational load. 



1.1 Previous Work 



There have been numerous anonymous electronic payment schemes presented in 
the literature. Chaum |E] was the first to use a blind signature mechanism (also 
introduced by Chaum 0 ) to construct an anonymous payment scheme. Chaum’s 
first scheme granted the customer unlimited anonymity which would allow the 
possibility for abuse of the system by spending coins many times. Several sub- 
sequent protocols provided anonymity revocation on the detection of double 
spending or some other protocol breach [Binii4iibi2nlTn] Unfortunately most 
of these schemes were too complex and computationally intensive to be practical. 
It wasn’t until Brands presented his untraceable off-line cash scheme based 
on Schnorr signatures |22] that a practical anonymous scheme became available. 
Since then many proposed anonymous payment schemes have been variations 
of Brands’ original protocol [t>pi .1117^^11 8 pij . However, even Brands’ scheme is 
much more computationally intensive than we would like, particularly for the 
bank which is likely to have to serve large numbers of customers simultaneously 
when electronic cash becomes popular. Our payment scheme is based on Brands’ 
too and changes the withdrawal and payment phases to improve efficiency. 

There are a number of divisible cash schemes in the literature Q|5] 

The basis of all these protocols is that the value of a single coin can be split 
so that an exact value is used in a transaction. This can be compared with 
our protocol in that we also enable many payments from a single withdrawal, 
although our protocol is not a truly divisible cash protocol. The problem with the 
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known divisible cash schemes is that they all appear to have a computationally 
expensive setup process which severely limits their overall efficiency. 

Brands’ protocol and most of its variations have the same structure. During 
withdrawal the bank and the customer exchange information (including the iden- 
tity of the customer) which is used to generate a representation of the electronic 
coin for the customer to commit to. This data is blinded by the customer and 
sent to the bank. In this way, the customer hides her identity from the bank and 
others. Once the bank is convinced the coin has been constructed correctly and 
that it does contain the identity of the customer, he sends the signed coin back 
to the customer. 

During payment the customer transfers the bank signed customer commit- 
ment as the coin to the merchant. The merchant provides some information 
to link the coin to a particular transaction. The coin and transaction data are 
finally returned to the bank by the merchant during deposit. Then the bank 
verifies that the transaction has been conducted correctly. If double spending 
of the coin is detected then the bank can revoke the anonymity of the coin by 
revealing the identity of the customer. The bank is unable to do this unless the 
customer has actually spent the coin twice. 

The most complex and computationally expensive component of the entire 
scheme is not the payment protocol but the withdrawal process. The protocol 
which we present addresses this weakness by allowing multiple coins to be with- 
drawn in a protocol which is based on a Brands’ protocol for withdrawal of a 
single coin. In addition, we show how the merchant can also save in computation 
by checking the validity of several coins at the same time. 



1.2 Our Approach 

In this paper, an extension to Brands’ untraceable off-line cash protocol 0 is 
presented. The main idea is to use techniques from batch cryptography to stream- 
line the processing required. Batch signature generation increases the efficiency 
of the blind signature generated by the bank in the withdrawal protocol. In effect 
batch signatures allow many coins to be withdrawn using the one withdrawal 
procedure. The computational expense for this process is equivalent to just one 
blind signature! The cost is a small increase in the size of coins, which increases 
linearly with the number of coins withdrawn. We use another batch technique 
during payment, to reduce the cost to the merchant of verifying many coins 
together. By allowing multiple coins to be exchanged in a single payment we 
can use our protocol to conduct transactions of exact change. We regard the 
following as the main contributions of the current paper. 

— The use of a batch signature generation algorithm in conjunction with a 
(blinded) Schnorr signature scheme. 

— A new anonymous electronic cash scheme which is more efficient than other 
similar anonymous payment schemes but still provides the same security as 
Brands’ untraceable off-line cash protocol. 
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In section 121 we provide an overview of the new payment scheme. In section | 5 | 
we discuss the security of this new scheme and compare its security with Brands’ 
scheme. In section 0 we comment on the performance of our new scheme. In the 
appendix of this paper describe batch signature generation based on the Schnorr 
signature scheme which is the basis of the coins used in our scheme. We also prove 
the security of these batch signatures. 

2 The New Cash Protocol 

We must define some parameters. In most cases these are the same as those 
used by Brands and we keep the notation the same as far as possible. Let the 
bank choose the large primes p,q as public keys where g is a factor of p — 1 
and a private key x Gn Zg. The bank also publishes a set of random public 
generators g, 51,52 ■ Here the value 52 is a new parameter which varies according 
to the specific number of coins n within a batch. In this way all the entities in 
the transaction can verify that the correct number of coins are contained within 
each batch coin. The bank has an additional public key h = 5“. Let TL and "Ho 
be publicly known collision-free functions. 

We shall use a batched version of the signature used by Brands, which is in 
turn a variant of Schnorr’s signature. (The batched version of Schnorr ’s signature 
is described in the appendix and its security is proven.) We shall say that the 
tuple {hi , . . . , hn, z, a, b, r, i) is a signature of the pair A, Bi if 

g'' = h‘^a and A’' = z% 

where hi = Ho{Bi) and c = 'H{A\\hi)\\ . . . ||ft,„)||z||a||6). 

We will refer to this signature as sign{A, Bi). This can be extended in the 
obvious way to any subset of Bi values which are signed with the same z, a, b, r 
values. 

Before any protocol can be conducted, the customer must register her iden- 
tity with the bank. This is equivalent of opening an account with the bank in 
the physical world. During the registration process the customer and the bank 
securely exchange a value 7 = 5“^ which uniquely identifies the customer to the 
bank. The value rti is a secret kept by the customer. 



2.1 Withdrawal 

During the payment protocol (see figure 1 ) the customer is able to generate a 
valid electronic coin with the assistance of the bank. As in Brands’ cash protocol, 
it is assumed that when a customer wishes to withdraw an electronic coin from 
the bank, she has previously proven that she has a valid account at the bank. 

The bank, on determining that the customer owns a valid account, chooses a 
random number w Gr 'Lq. The bank also calculates the values 2; = (752)“, a = g^ 
and b — (752 )‘^. The value a represents the witness value which is normally 
generated by the Schnorr signature. The values b and z are to be used to build 
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a representation of the electronic coin which hides the customer’s identity. The 
values a, b and z are transmitted to the customer. 

At the same time, or at a previous time off-line, the customer chooses se- 
veral random numbers s, a;i ^ , . . . , xi^ , X 2 ^ , ■ ■ ■ , X 2 „ where n is the number 

of coins to be withdrawn from the bank during this withdrawal protocol run. 
These values are to be used to build a unique representation of the coin and to 
hide the customer’s identity within the coin. The customer generates the coins’ 
representations by computing A = {Ig 2 Y, Bi = , ■ ■ ■ ,Bn = gY'' 92^" 

and z' = z^. 

On receiving a, b and z from the bank, the customer chooses the random 
blinding factors u and v. The customer then computes a' = a^g^ and b' = b^'^A". 
Then she calculates the challenge c' = 'H{A,'Ho{Bi), . . . ,'Ho{Bn), z' ,a' ,b') and 
sends the blinded challenge c = c'/m to the bank. 

The bank returns the appropriate response r = cx + iv to the customer and 
debits the customer’s account by the appropriate amount. 



Customer 

Choose s, xii , . . . , ®i„ , X2i , ■ ■ ■ , X2„ 



Calculate A = {192)“ 

D ^ii '^2-, 

Si = 5i 92 : • • 

z' = z® 



1 Bn — 9l 92 



Choose u, V €r hq 
a' = 
h' = 

c' = H{A, Ho{Bn), z', a', b') 

c = c'/u 



z,a,6 





c 

> 



Verify the signature 
9 ^ = h’^a 
{l92Y = z^h 



Calculate 

r' = ru -\- V mod q 



r 

A 



Bank 

Choose w Zq 
Calculate 

^ = Y9zT 

a = 

b = ii92r 



r = cx + u) 



Fig. 1. The withdrawal protocol 



The customer now checks that the bank has correctly signed the coin by ve- 
rifying that g'" = h'^a and {Ig2Y = z.%. Once the customer is satisfied she calcu- 
lates r' = ru+v mod q. It is straightforward to check that (HoiBi), . . . ,"Ho(S„), 
z' ,a' ,b' ,r' ,i) is a batch signature on the pair (A,Bi), and that the verification 
mentioned above is equivalent to the verification of this signature. 
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The customer can now construct the coins which have been withdrawn from 
the bank. The ith coin and its signature may be denoted by: 

{A, Bi,no{Bi), no{Bi_i),no{Bi+i), 'Ho{Bn),z', a', b', r', i). 

The string HoiBi), . . . ^HoiBn), z' ,a' ,b' ,r' ,i represents the bank’s blinded 
signature of A, Bi. The customer is able to generate n of these coins which she 
can spend separately. Each coin is uniquely identified by Bi. As each coin is 
spent the customer can delete Bi from memory but the customer must retain 
the values HoiBi), . . . jHoiBn) until the last coin in the batch has been spent. 

Because Bi is transferred in the coin it is not necessary for TLo{Bi) to be 
also transferred with the coin. If this option is chosen, the value i must also be 
included in the coin so that the merchant can insert 'Ho(Bi) in the correct order 
during the payment verification. 

Note that because each coin has the same signature, all the coins constructed 
from a single withdrawal process can be linked, although the identity of the 
customer who withdrew the coins is still hidden. If the customer was worried 
about her purchases being tracked with the linked coin she has the option of 
spending the coins with a single specific merchant or withdrawing one coin with 
each batch. This will allow the customer to tune the amount of linkability she 
requires. In practice, banks would probably charge for each withdrawal. This 
could prove to be costly for a customer who desires no linkability. 

2.2 Payment 

This protocol (see figure 2 ) describes the process in which the customer securely 
transfers an electronic coin to the merchant. It is assumed that once the mer- 
chant has verified the receipt of the coin that he sends the correct goods to the 
customer. 

By using batch signatures, the customer can spend more than one coin during 
a withdrawal protocol and thus an exact change transaction can be conducted. 
A group of multiple coins is uniquely identified hy Bi, ... ,Bj. It is not necessary 
that these coins be spent in a consecutive manner. 

The customer sends a group (or a single one) of her batch signed coins 
{A, Bi, . . . ,Bj, sign{A, Bi, . . . ,Bj)) to the merchant. At this stage the merchant 
is not sure if this coin is valid or not. So he returns a unique challenge d = 
"H(A, Bi, . . . , Bj,lM, date/time) to the customer. Im represents the merchant’s 
identity and date/time the recorded date and time of the transaction. 

The customer generates the correct responses ri. = duis + Xi., . . . , ri^ = 
duis + Xi^ and r2^ = ds + X2^, . . . , T2^. = duis + X2j,ior each coin that is to be 
spent in this transaction. These responses are returned to the merchant. 

The merchant must now verify that each of the values Bi, . . . , Bj has indeed 
been signed in the batch signature and thus is linked to the signature provided in 
the coin. To do this he must ensure that the correct B value is used to compute 
the appropriate 'Ho(B) value. If this is true then the merchant can check that 
sign{A, Bi, . . . , Bj) is valid by verifying that g’’ = ,a ,b )^/ 
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Customer Merchant 

Construct the batch coin ={A, 

Bi, . . . , , ’Ho{Bi-i), 

'Ho{Bj+i), . . . ,'Ho{Bn), i,. ■ ■ ,j, 
sign{A, Bi, . . . , Bj)) 

coin 



Calculate 

d = T-LiA, Bi, . . . , Bj,Iu, 

date/time) 

d 

< 

Calculate 

ri- = duis + Xi^ 

= duis + xij 
r^i = ds + X2i 



T 2 j =ds + X 2 j 



>■ 



Calculate HoiBi), . . . ,'Ho{Bj) 
Calculate 

U{A,Uo{Bi),...,Ho{Br,), 
z' ,a , b') 

Verify sign{A, Bi, . . . , Bj) 

Choose Wi . . . ,Wj Er Zq 
Verify 

ri 'Wi + ...+r-i Wj r2.'Wi + ...+r2, wj 

9 i "92 

_ Ad{wi-\-...+Wj) QWi 

i • • • j 



Fig. 2. The payment protocol 



and {Ig2y' = merchant must also check the 

representation of the coin and ensure that the customer has not forged the r' 
values. This is done by choosing random numbers Wj . . . ,Wj C/j and verifying 



r-i .Wi ro ■ Wi-\-...-\-ro .Wi . , , \ ,,, on- 

that ^ 52 ’ ^ ~ B^' ...BA before accepting 

the coin as payment. Without the random numbers Wi,...,Wj it is possible 



for the customer to choose any values r^,. . . , r'j. and r^, . . . , r'2. and provided 
the sum of these values is valid the merchant would be unable to detect the 



subterfuge. The size of the random values Wi, . . . ,Wj can be chosen to be only 
2 ^® bits which allows more efficient modular exponentiations. The security of this 
choice is analysed by Yen and Laih m in their own batch signature verification 
scheme. 
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2.3 Deposit 

In the deposit protocol (see figure 3) the electronic coin, the values ri . , . . . , ri. 
and T 2 i, ■ ■ ■ , T 2 j , the date and time of the transaction and the merchant’s identity 
Im are returned to the bank by the merchant. 

The bank verifies the coin by reconstructing d using the date and time of 
the transaction and the merchant’s identity Im- The bank can now go through 
a similar process of verification executed by the merchant during the payment 
protocol. The link between the batch signature and B^, Bj is verified. If this is 
valid the batch signature is checked. And if this is valid the coin’s representation 
is verified. 

When the verification process is successfully completed the bank can credit 
the merchant’s account the value of the coin. 

Merchant Bank 

coin,ri^ , . . • • ’^2^- idate / time, I 

> 

Calculate 

d — H{A, Bi, I M, date /time) 
Calculate 

U{A,Ho{Bi),...,Uo{B„),z',a',b') 
Check Ho{Bi) correct 
Verify sign{A, Bi, . . . , Bj) 

Choose Wi ... ,Wj 
Verify 

ri . + . tUj r2 ■ ...-\-r2 ■ Wj 

5i * ^ 52 * ^ 

* J 



Fig. 3. The deposit protocol 



As in Brands’ protocol, the identity of the customer can be recovered if the 
user is found to have double spent the coin. To detect double spending it is ne- 
cessary that the bank store (Bj, . . . , Bj, date/time, Im, Ti^,r 2 i) from previously 
spent coins. The bank detects double spent coins by checking for duplicate B’s. 
For example, if a duplicate value, Bj, is found, the bank generates d, ri. and 
T 2 i from the new information and d' , r(. and r^. from the stored coin informa- 
tion. The bank determines that the merchant has double spent by checking if 
d = d' . Otherwise we assume that the customer has double spent. The custo- 
mer’s identity can be recovered by calculating which reveals 

the customer’s identity I. 



3 Protocol Security 

Our scheme can be viewed as a straightforward variation of Brands’ scheme 
in which the signature and coin verification equations have been changed to 
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batched versions. It is shown in the appendix that the batched Schnorr signature 
scheme is secure as long as Schnorr’s signature scheme is. But forgery of a coin 
is equivalent to a forgery of the batch Schnorr signature scheme with a modified 
hash function. The security of the verification procedure also follows from the 
analysis of similar schemes given by Yen and Laih [23| and Bellare et al. P]. 

A representation of a value X, with respect to the bases gi and 52 > consists 
of exponents ei and 62 such that X = ■ Following Brands, we say that 

a customer knows a representation of a coin A, Bi,'Ho{Bi), . . . jHoiBn) if she 
knows a representation of A and Bi in the with respect to gi and 32 - Because 
A = and the Bi are chosen as representations in the withdrawal protocol, 

the following holds. 

Proposition 1 . If the eustomer accepts in the withdrawal protocol, then each 
{A, Bi) pair is a batched coin of which she knows a representation. 

In the payment protocol the merchant accepts the coins only if (with over- 
whelming probability) g^^' g^^' = A'^Bi . It is straightforward to show that if the 
customer can solve this equation for two different values of d then she must know 
a representation of A and Bi. This can be summarized in the following. 

Proposition 2 . A customer can spend a batched coin if and only if she knows 
a representation of it. 

The arguments given for security of the batch Schnorr scheme imply that 
existential forgery of a coin is possible only if Schnorr’s signature scheme is 
existentially forgeable. Together with the above results this means that a coin 
may only be spent by the customer that withdraws the coin. 



4 Protocol Efficiency 

The efficiency of the scheme may be directly correlated to the savings in compu- 
tations due to the batch signature generation. There are, however, some additio- 
nal storage and communication overheads introduced. To consider the storage 
and communication overheads, we compare a batch coin (A, Bi) and its signa- 
ture (HoiBi), . . . ,'Ho{Bn), z' ,a' ,b' ,r' ,i) to a basic coin {A,B) and associated 
signature {z' ,a' ,b' ,r'). 

For batch size n, the size of the coin will increase by 160n bits (assuming the 
Bo function produces 160 bits), plus [logn] additional bits for i. For example, 
where p and q are 1024 and 160 bits respectively, a basic coin will be 5270 bits 
in lengtlQ, whilst, a batch of 10 coins would be 6710 bits, an increase of only 
27%. On the other hand, if the coins were individually generated using the basic 
scheme, this would be 56320 bits! Thus, a comparative assessment based upon 
the number of coins withdrawn suggests that the batch protocol is lighter. In 
spite of this, each batch coin will be of the same, increased, size and thus a 
communications penalty is incurred. 



1 B = 1024, A = 1024, z' = 1024, a' = 1024, b' = 1024, r' = 160 
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In addition to this small increase in coin size, there are some additional 
computations performed. These will now be viewed from the perspective of each 
interacting party in respect to the original Brands’ scheme when withdrawing n 
coins. 

Bank. The scheme is specifically designed to reduce the computational load 
imposed on the bank during coin withdrawal. The cost of withdrawing one coin is 
exactly the same as the cost of withdrawing n coins. The bank performs exactly 
the same processing steps when signing a batch of coins, with respect to signing 
a single coin! This could provide large savings to the bank as the batch size 
increases. For example, a batch of 10 coins would improve the efficiency by 90% 
over the original scheme. 

Later, when the merchant deposits the coin, the bank is required to store the 
additional 160n bits per coin. It is possible, however, that upon detection of the 
associated batch, the bank may store the spent coin with its parent batch and 
hence reduce the common storage overheads. 

The exponentiation is added to the bank’s computations. However, since 
the Wi are only 15 bits in length this adds only a small amount of computation 
over that which is required to verify a single coin in Brands original scheme. The 
additional computation required for each Wi value can be estimated as less than 
4% of that required for individual coin verification with the parameters assumed 
above. 

Customer. At the withdrawal stage, the customer performs two additional 
operations to obtain a batch of coins. This involves the creation of the Bi value, 
and the creation of its corresponding hash value. If we ignore the hash operati- 
ons, the processing increases proportionally by the number of coins in the batch. 
For a batch size of n, this will include 2(n — 1) additional modular exponentia- 
tions. Such processing, however, is often precomputed, and its impact may be 
eliminated during the withdrawal stage. 

Once again, if we compare this to withdrawing n basic coins, the batch scheme 
is more efficient. The original scheme requires all operations to be performed for 
each coin, while the batch scheme only requires the calculation of the multiple 
B values. This translates to a saving of around 8 modular exponentations for 
every additional coin after the first that is withdrawn in the batch. 

During payment the customer forwards the coin and responds to the chal- 
lenge in the same manner as the original scheme. When spending multiple coins, 
although the same processing is required to compute the responses, there will 
actually be a communications savings as the coin is only sent once. In terms 
of storage, once a coin is spent the size of the batch does not decrease, as all 
elements of the batch need to be kept for subsequent payments to merchants. It 
is not until the last coin of the batch is spent that the coin may be discarded. 

Merchant. When the merchant accepts a coin he must recompute the hash 
of Bi and insert this into its correct position to generate c'. All other steps requi- 
red to verify the coin are computationally identical to the original scheme for a 
single batch coin. When spending multiple coins the merchant computes an ad- 
ditional small modular exponentiation for each Bi under the security parameter 
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Wi- Under the original scheme the merchant is required to perform the com- 
plete merchant payment protocol for each coin spent so the new scheme attracts 
n fewer sign{A, Bi, . . . , B„) verification operations and n fewer representation 
checks. This equates to 6(n — 1) — 1 fewer modular exponentiations. (Note that 
the additional B^'’s contribute to the existing multi-exponentiation operation.) 

Similar to the customer, the merchant must also provide storage space for 
the larger size of a batch coin. Again, this could be optimized by storing coins 
with an existing parent batch when received. To deposit a coin, the merchant 
merely forwards this to the bank, incurring only the communications penalty 
due to the increased coin size (when forwarding a single batch coin) . 
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A Batch Schnorr Signature Scheme 

Batch cryptography, originally proposed by Fiat Il2|, combines n messages into 
one batch for cryptographic transformation. The advantage of this is that an 
efficiency is attained in certain operations; for example signing or verifying n 
messages at once. In Fiat’s and subsequent papers [1 |1.5^2.3IJ the multiplicative 
property of RSA, is used to prepare batches. An alternative approach to the 
multiplicative batch techniques is to combine messages using a suitably collision 
resistant hash function in a way that enables a single public key operation to be 
performed for the whole batch. 

We introduce a technique, using the Schnorr signature scheme 1^, that 
enables n messages to be combined into one batch for signing. The basic approach 
is applicable to other signature schemes that employ hash functions, such as 
RSA. The batch signature and the individual messages may be forwarded to n 
different parties for individual verification. The scheme is shown to be as secure 
as the existing signature scheme, with an appropriate choice of hash function. 
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The Schnorr signature scheme \Z2\ works in the integers modulo p, for a 
large prime p. An element g is selected which has order 5 , where q is a prime 
dividing p — 1. The public and private keys are x and h, where 0 < x < q, and 
h = mod p. A signer is able to generate a signature (c, r) on the message m 
as follows. 



a = g^ mod p where a; is a random element 

1 < oj < g — 1. 

c = ?^(m||a) 
r = cx + oj mod q 

Verification of a received signature can be performed as follows. 

a' — g‘^h‘^ mod p 
Verify c = 'H{m\\a') 

Now, by applying a batch protocol, we may sign a batch of n messages with 
the following steps. 

1. Generate signature on a batch of n messages mi, TO 2 , . . . , m„: 

a = g^ mod p where w is a random element 

1 < w < g- 1 

B = 'H{'Ho{'mi)\\'Ho{m2)\\ ■ ■ ■ \\'Ho{mn)\\a) 
r = xB + to mod g 

2. The batch signature on rrii consists of (B, r, hi, . . . , h„, i), where hj = 'Ho{mj). 

3. To verify the signature (B, r, hi, . . . , hn, i) on message rrii the following pro- 
cedure is performed. 

Calculate a' = g^h^ mod p 

Verify TLoim^) = hi 

Verify B = B(hi||h 2 ||...||h„||a') 

The security of this scheme is dependent upon an appropriate choice of hash 
function. We now demonstrate that if a secure hash function is used then the 
batch signature is as secure as the basic Schnorr signature. We first establish 
what should be considered a successful forgery attack, since this is not quite so 
obvious as in the case of the signature of a single message. 

We wish to show that the batch signature scheme is secure against existential 
forgery. This means that an attacker should be unable to forge the signature of 
any message which has not been previously signed by the owner of the private 
key. Furthermore, we will allow the attacker to perform an adaptive chosen sig- 
nature attack in which the owner of the private key can be induced to sign any 
sequence of messages of the attacker’s choice, the next message in the sequence 
being allowed to depend on any of the previous messages. Finally the attack 
is regarded as successful if the attacker is able to derive the signature of any 
message not previously signed. 
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In an adaptive chosen signature attack on the batch signature scheme we will 
only regard the attack as successful if the final derived signature is not in any 
batch of previously signed messages. This is the only reasonable extension of such 
an attack on a basic signature scheme, because it could only be expected that 
the signer would sign a batch of messages if these were all presented together, 
rather than signing a single message in a batch of messages, the rest of which 
were chosen some other way (for example randomly). We make this assumption 
clear since otherwise there we are unable to show that a forgery possible on the 
batch scheme leads to a forgery on the basic scheme. 

Theorem 1. If the Schnorr signature scheme is secure against existential for- 
gery using an adaptive chosen signature attack then so is the hatch signature 
scheme. 

Proof. The main idea is that if {B, r) is a batch signature for the set of messages 
(mi, m 2 , . . . m„), then it is also a basic Schnorr signature on the single message 
M — ft.i||h 2 || . . . ||/i„, where hj — Hoimj). This enables us to show that a forgery 
for a basic batch scheme leads to one for the Schnorr scheme. So we first assume 
that there is a successful adaptive chosen signature attack on the batch signature 
scheme. At each step a batch signature is obtained for the chosen message set, 
and finally a batch signature on a new message, say m, is obtained. 

This can be converted to an adaptive chosen signature attack on the Schnorr 
signature as follows. At each stage the the chosen message is Ho{mi)\\ . . . ||Ho(m„) 
if mi, . . . m„ is the chosen message for the attack on the batch signature. After 
obtaining all chosen signatures the attack on the batch obtains the forged signa- 
ture {B, r,hi, . . . , hn, i), where hi = Hoirh). As shown above, this is a Schnorr 
signature of the message M = /ii||ft. 2 || . . . ||h„. According to our definition of 
a forgery against the batch scheme m has not appeared in any previous batch 
signature found during the attack. Therefore the signature on M is a succes- 
sful existential attack on the Schnorr scheme unless M appeared before as the 
output for a different message set. In particular this must include a message m 
with hi = = 'Ho(fh) and fh ^ fh. But this contradicts the collision free 

property of T-Lq so our proof is complete. 

Where H has been chosen appropriately, the basic Schnorr signature scheme 
has been shown to to resist adaptive chosen message attacks using the random 
oracle model by Pointcheval and Stern [za. Therefore, if we accept this model 
for the Schnorr scheme, we can be sure that the batch signatures are secure. 
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Abstract. Non-repudiation turns out to be an increasingly important 
security service with the fast growth of electronic commerce on the Inter- 
net. Non-repudiation services protect the transacting parties against any 
false denial that a particular event or action has taken place, in which 
evidence will be generated, collected and maintained to enable dispute 
resolution. Meanwhile, fairness is a further desirable requirement such 
that neither party can gain an advantage by quitting prematurely or 
otherwise misbehaving during a transaction. In this paper, we survey 
the evolution of techniques and protocols that had been put forward to 
achieve fair non-repudiation with a (trusted) third party, and present a 
secure and efficient fair non-repudiation protocol. 

Keywords: fair non-repudiation, trusted third party, secure electronic 
commerce 



1 Introduction 

Electronic transactions become a growing trend with the development of compu- 
ter networks. On the other hand, dispute of transactions is a common problem 
that could jeopardise business. We imagine the following scenario. 

A merchant A sells electronic goods M (e.g. softwares, videos, or digital pu- 
blications) on the Internet. Suppose a customer B wants to buy M with his 
credit card. Typical disputes that may arise in such a transaction could be 

— A claims that he has sent M to B while B denies receiving it; 

— B claims that he received M (which is bogus or illegal) from A while A 
denies sending it. 

In order to settle these disputes by a third party arbitrator, A and B need 
to present evidence to prove their own claims. Such evidence may be provided 
by non-repudiation services. 

Non-repudiation services protect the transacting parties against any false 
denial that a particular event or action has taken place, in which evidence will 
be generated, collected and maintained to enable the settlement of disputes M- 
The basic non-repudiation services that address the above disputes are 
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— Non-repudiation of Origin {NRO) provides the recipient of a message with 
evidence of origin of the message which will protect against any attempt by 
the originator to falsely deny having sent the message. 

— Non-repudiation of Reeeipt {NRR) provides the originator of a message with 
evidence of receipt of the message which will protect against any attempt by 
the recipient to falsely deny having received the message. 

Generally speaking, non-repudiation can be achieved with basic security me- 
chanisms such as digital signatures and notarisation. However, fairness may be 
a further desirable requirement. In the above transaction, the merchant A would 
like to get a receipt as evidence for payment claim when sending M to the 
customer B. On the other hand, the customer B will be reluctant to acknow- 
ledge the receipt before obtaining M . Fair non-repudiation was considered in the 
Draft International Standard ISO/IEC 13888 “Information technology - Security 
techniques - Non-repudiation” . However, the mechanisms in the current version 
of this document do not support fair non-repudiation and only have 

limited application M 

A fair non-repudiation protocol should not give the originator of a message an 
advantage over the recipient, or vice versa. This paper investigates the evolution 
of techniques and protocols that had been put forward to achieve fair non- 
repudiation, and presents a secure and efficient fair non-repudiation protocol. 
The following general notation is used throughout the paper. 

• A, y : concatenation of two messages X and Y . 

• H{X): a one-way hash function of message A. 

• eK{X) and dK{X): encryption and decryption of message A with key K. 

• s5'^(A): principal A’s digital signature on message A with the private sig- 
nature key Sa- The algorithm is assumed to be a ‘signature with appendix’, 
and the message is not recoverable from the signature. 

• A — >• H : A: principal A dispatches message A addressed to principal B. 

• A o H : A: principal A fetches message A from principal B using “ftp get” 
operation or by some analogous means (e.g. using a Web browser). 

2 Approaches for Fair Non-repudiation 

The origin of a message will usually be verified by a digital signature appended by 
the originator. To obtain evidence of receipt, the originator requires the recipient 
to reply with some sort of acknowledgement. There are two possible reasons for 
such an acknowledgment not to arrive m- 

— The communication channel is unreliable. Thus, a message may have been 
sent but failed to reach the recipient. 

— A communicating party does not play fair. Thus, a dishonest party may 
abandon execution intentionally without following the rules of a protocol. 
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As a result, the recipient may repudiate receipt of a message even if it has received 
the message by falsely claiming the failure of the communication channel. 



Definition 1. A non-repudiation protocol is /air if it provides the originator 
and the recipient with valid irrefutable evidence after completion of the proto- 
col, without giving a party an advantage over the other party in any possible 
incomplete protocol runs m- 



Approaches for fair non-repudiation reported in the literature fall into two 
categories: 



Hirsiiuiin 



where two parties gradually disclose 



— Gradual exchange protocols 
the expected items by many steps. 

— Third party protocols which make use of an on- 

line or off-line (trusted) third party. 



The gradual exchange approach may have theoretical value but is too cum- 
bersome for actual implementation because of the high computation and com- 
munication overheads. Moreover, fairness is based on the assumption of equal 
computational complexity, which makes sense only if the two parties have equal 
computing power, an often unrealistic and undesirable assumption 0. Hence, 
recent research mainly focuses on the third party approach. 



At the early stage, fair non-repudiation was achieved by the use of an on-line 
(trusted) third party TTP. As the use of TTP in fair non-repudiation protocols 
may cause the bottleneck problem, it is necessary to minimize the TTP's invol- 
vement when designing efficient fair non-repudiation protocols. Such an attempt 
has been made in pn] . where the TTP acts as a light-weighted notary rather 
than a delivery authority. However, the TTP still needs to be involved in each 
protocol run, though this might be necessary in some applications 

The TTP’s involvement is further reduced in , where transacting par- 

ties are willing to resolve communications problems between themselves and turn 
to the TTP only as a last recourse. However, only the risk-taking party (origi- 
nator) is allowed to invoke the TTP, the responder may not know the final state 
of a protocol run in time. If a short time limit is imposed on a protocol run, the 
originator may not be quick enough to invoke the TTP for recovery thus the 
fairness will be destroyed. 



The latest effort on fair non-repudiation was made by Asokan, Shoup and 
Waidner |E], which uses the TTP only in the case of exceptions and tolerates 
temporary failures in the communication channels to the TTP. In addition, it 
allows either party to unilaterally bring a protocol run to completion without 
losing fairness. However, some flaws and security weaknesses of their protocol 
have been pointed out in m 

— The protocol performance may degrade when transmitting large messages. 
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— The privacy of messages being transmitted may not be well protected. 

— The non-repudiation evidence may not be publicly verifiable. 

It is desirable to overcome these shortcomings while maintaining the merits of 
the protocol. 

In this paper, we will use the protocols presented in as examples to 

show the evolution of techniques for fair non-repudiation, and propose a secure 
and efficient fair non-repudiation protocol based on the ideas from Pl^ . 



3 Protocol A: Using Light-Weighted TTP 

A fair non-repudiation protocol using light-weighted on-line TTP was proposed 
in which supports non-repudiation of origin and non-repudiation of receipt 
while neither the originator nor the recipient can gain an advantage by quitting 
prematurely or otherwise misbehaving during a transaction. The main idea of 
this protocol is to split the definition of a message M into two parts, a com- 
mitment C and a key K. The commitment is sent from the originator A to the 
recipient B and then the key is lodged with the trusted third party TTP. Both 
A and B have to retrieve the confirmed key from the TTP as part of the non- 
repudiation evidence required in the settlement of a dispute. The notation below 
is used in the protocol description. 

• M: message being sent from A to B. 

• K: message key defined by A. 

• C = eK{M): commitment (ciphertext) for message M. 

• L = H{M, K): a unique label linking C and K. 

• fi {i = 1,2,- ■ ■): flags indicating the intended purpose of a signed message. 

• EOO.C = sSaHi^B, L, C): evidence of origin of C. 

• EOR-C = sS'_b(/ 2 , a, L, C): evidence of receipt of C. 

• sub-K = s5'a(/5, B, L, K): evidence of submission of K. 

• coti-K = sSttpUg: B, L, K): evidence of confirmation of K issued by the 

TTP. 

The protocol is as follows. 

1. A^B: fi,B,L,C,EOO.C 

2. B^A: f2,A,L,EOR.C 

3. A ^ TTP : /s, B, L, K, sub^K 

4. B o TTP : /e. A, B, L, K, con_K 

5. A o TTP : /e. A, L, AT, con.K 

It is assumed that A, B, and the TTP either hold the relevant public key 
certificates, or are able to retrieve them from a X.509 directory service Q. It 
is further assumed that the communication channels linking the TTP and each 
transacting party (A and B) are resilient. 
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Definition 2. A communication channel is resilient if a message inserted 
into such a channel will eventually be delivered. 

We examine the protocol step by step. 

1. A first sends C and EOO-C to B. There is no breach of fairness if the protocol 
stops at Step 1 since C is incomprehensible without K. 

B needs to verify EOO-C and save EOO-C as evidence of origin of C 
before proceeding to the next step. 

2. B has to send EOR-C to A if B wants to get K and con^K from the TTP 
at Step 4. There is no breach of fairness if the protocol stops at Step 2 since 
EOR-C can only be used to prove receipt of C rather than receipt of M. 

A needs to verify EOR-C and save EOR-C as evidence of receipt of C 
before proceeding to the next step. 

3. A has to send K and sub-K to the TTP if A wants to get con-K from the 
TTP at Step 5. B could obtain K by eavesdropping, and thereby the message 
M, before K is lodged with the TTP. As we assume that the communication 
channel between A and the TTP is resilient, A will eventually be able to send 
K and sub-K to the TTP in exchange for con-K . 

After receiving K and sub-K from A, the TTP will generate con-K and 
store the tuple (/e, A, B, L, K, con-K) in a directory which is accessible (read 
only) to the public. The second component in the tuple indicates the key 
supplier which is authenticated by the TTP with sub-K. Intruders cannot 
mount a denial-of-service attack by sending bogus keys to the TTP as this 
will not generate entries (/g, A, - ■ ■) in the directory. 

4. B fetches K and con-K from the TTP. B obtains M by computing M = 
dK{C), and saves con-K as evidence to prove that K originated from A. 

As we assume that the communication channel between B and the 
TTP is resilient, B can therefore always retrieve K and con-K. B will lose 
the dispute over receipt of M even if B does not fetch K after it becomes 
publicly available. 

5. A fetches con-K from the TTP, and saves it as evidence to prove that K is 
available to B. 

The above analysis demonstrates that if and only if A has sent C to B and 
K to the TTP, will A have evidence {EOR-C, con-K) and B have evidence 
{EOO-C, con-K). 

Label L plays an important role in the establishment of a unique link between 
C and K. Once L and C have been committed in EOO-C and EOR-C, it is 
computationally hard to find K' A K satisfying L = H{M,K) = H{M,K') 
while M = dK{C) = dK'{C). 

If A denies origin of M, B can present evidence EOO-C and con-K plus 
M, C,K to a third party arbitrator. The arbitrator will check 

— A’s signature EOO-C = sSA{fi, B, L,C) 
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— TTP’s signature con.K = sSxTpife, B, L, K) 

— L = H{M,K) 

— M = dK{C) 

If the first two checks are positive, the arbitrator believes that C and K origina- 
ted from A. If the last two checks are also positive, the arbitrator will conclude 
that C and K are uniquely linked by L, and M is the message represented by 
C and K from A. 

If B denies receipt of M, A can present evidence EOR.C and con_K plus 
M, C, K to the arbitrator. The arbitrator will make similar checks as above. 

Unlike other fair non-repudiation protocols which use the on-line trusted 
third party as a delivery authority, the trusted third party in this protocol acts 
as a light-weighted notary which only notarises message keys by request and 
provides directory services accessible to the public. This has two advantages. 

— The trusted third party only deals with keys, which in general will be shorter 
than the full messages. 

— The onus is now on the originator and the recipient to retrieve the key, while 
a delivery authority would have to keep resending messages until the receiver 
acknowledges the message. 

4 Protocol B: Using Offline TTP 

In Section Q, the trusted third party’s work load has been significantly reduced 
in the protocol, where the TTP only needs to notarise message keys by request 
and provides directory services. Such a protocol is appropriate in applications 
where notarisation of keys is desirable |j, or where the participants and the 
communications infrastructure are so unreliable that participants prefer to rely 
on the TTP to facilitate transactions. 

An efficient fair non-repudiation protocol was proposed in which further 
reduced the trusted third party’s active involvement when the two parties are 
willing to resolve communications problems between themselves and want to turn 
to the TTP only as a last recourse. In the normal case, the originator A and 
the recipient B will exchange messages and non-repudiation evidence directly. 
The TTP will be invoked only in the error-recovery phase initiated by A when 
A cannot get the expected evidence from B. 

Besides the notation used in Section [3, the following additional notation is 
used in the protocol description. 

^ When disputes relate to the time of message transfer, the originator and the recipi- 
ent may need evidence about the time of sending and receiving a message besides 
evidence of origin and receipt. The TTP can time-stamp evidence con^K to identify 
when the message key, and thns the message, was made available. 



264 J. Zhou, R. Deng, and F. Bao 



• EOO-K = sSaHs, B, L, K): evidence of origin of K. 

• EOR-K = s5'_b(/4, a, L, K): evidence of receipt of K. 

The protocol in the normal case is as follows. 

1. B : fi,B,L,C, EOO^C 

2. B^ A: f2,A,L,EOR^C 

S. A^ B : h, B, L, K, EOO.K 
A. B ^ A: h,A,L,EOR.K 

If A does not send message 3, the protocol ends without disputes. If A cannot 
get message 4 from B after sending message 3 (either because B did not receive 
message 3 or because B does not want to acknowledge it), A may initiate the 
following recovery phase, which is the same as Steps 3 to 5 of the protocol in 
Section 01 

3'. A ^ TTP : f 5 , B, L, K, sub_K 
4'. B o TTP : fe, A, B, L, K, con_K 
5'. A o TTP : fe, A, B, L, K, con_K 

If the protocol run is complete, the originator A will hold non-repudiation 
evidence EOR-C and EOR-K, and the recipient B will hold EOO-C and EOO-K. 
Otherwise, A needs to rectify the unfair situation by initiating the recovery phase 
so that non-repudiation evidence con_K will be available to both A and B. 

If disputes arise, A can use {EOR-C, EOR-K) or {EOR-C, cori-K) as non- 
repudiation evidence to prove that B received M; B can use {EOO-C, EOO-K) 
or {EOO-C, cori-K) as non-repudiation evidence to prove that M originated from 

A. 



This protocol will be efficient in an environment where two parties usually 
play fair in a protocol run. Although the recipient B is temporarily in an advan- 
tageous position after Step 3, fairness can be retained by ensuring the success 
of the recovery phase, which relies on the assumption that the communication 
channels between the TTP and the participants A, B are resilient. 

In practice, however, a time limit for a protocol run may have to be set so 
that both parties can terminate an expired protocol run safely. Then the choice 
of time limit in the above protocol becomes critical because that may affect the 
protocol fairness. If A cannot get message 4 from B, A has to rely on a successful 
recovery phase to rectify the unfair situation. A needs to submit the message 
key to the TTP in time since the TTP will not confirm A’s submission once 
the protocol run expires. However, as we only assume that the communication 
channels are not permanently broken, A may not be sure that the TTP can 
receive its submission in time. Therefore, A has to choose the time limit big 
enough. This means that B may not know the final state of a protocol run in 
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time, which is obviously unfavourable to If S does not receive the message 
key from A by the deadline, B has to retrieve it from the TTP, or abandon the 
protocol run with a notification from the TTP. 



5 Protocol C: Autonomous with Offline TTP 

Here we present an autonomous fair non-repudiation protocol using off-line TTP, 
which is mainly based on the ideas from pEo]. 

Definition 3. A fair non-repudiation protocol is autonomous if either tran- 
sacting party can unilaterally bring a transaction to completion without losing 
fairness. 

We split the definition of a message M into two parts, a commitment C and a 
key K. In the normal case, the originator A sends (C, K) (plus evidence of origin) 
to the recipient B in exchange for evidence of receipt without any involvement 
of the TTP. If there is something wrong in the middle of a transaction, either 
A ov B can unilaterally bring the transaction to completion with the help from 
the TTP. The TTP only needs to notarise and/or deliver the message key K by 
request, which is usually much shorter than the whole message M. The notation 
below is used in the description of our protocol. 

• M: message being sent from A to B. 

• K\ message key defined by A. 

• C = eK{M): commitment (cipher text) for message M. 

• L = H{M, K): a unique label linking C and K. 

• fi {i = 1,2,- ■ ■): flags indicating the intended purpose of a signed message. 

• EOO.C = sSaHi^B, L, C): evidence of origin of C. 

• EOR.C = sS'_b(/ 2 , a, L, EOO.C): evidence of receipt of C. 

• EOO-K = sSaI/s, B, L, K): evidence of origin of K. 

• EOR-K = s5'_b(/4, a, L, EOO-K): evidence of receipt of K. 

• sub-K = sSA{f 5 , B, L, K, TTP, EOO-C): evidence of submission of K to the 

TTP. 

• cou-K = sSTTpife, A, B, L, K) : evidence of confirmation of K issued by the 

TTP. 

• abort = sSrTpifsj A, B, L): evidence of abortion. 

• Pttp- the TTP’s public encryption key. 

Our protocol has three sub-protocols: exchange, abort, and resolve. We as- 
sume that the communication channels between the TTP and each transacting 
party (A and B) are resilient. We also assume that the communication channel 
between A and B is confidential if the two parties want to exchange messages 

^ This problem does not exist in the protocol described in Section El An arbitrary 
length of time limit can be set for a protocol run as long as the message key is 
protected from disclosure to B when A submits it to the TTP for confirmation. 
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secretly. The exchange sub-protocol is as follows. 

1. B-. fij 5 ,B,L,C, TTP,ePTTp{K),EOO.C,sub.K 

IF B gives up THEN quit ELSE 

2. B ^ A: f2,A,L,EOR^C 

IF A gives up THEN abort ELSE 

3. A^ B: fs, B, L, K, EOO.K 

IF B gives up THEN resolve ELSE 
A. B ^ A: f4, T, L, EOR.K 

IF A gives up THEN resolve 

The abort sub-protocol is as follows. 

1. A^ TTP: fr,B,L,sSA{f7,B,L) 

IF resolved THEN 

2. TTP ^A-.f 2 , h, A, B, L, K, con.K, EOR.C 

ELSE 

3. TTP A : fs, A, B, L, abort 

The resolve sub-protocol is as follows, where the initiator U is either A or B. 

1. U ^ TTP : / 2 , /s, A, B, L, TTP, ePTTp{K), sub.K, EOO.C, EOR.C 

IF aborted THEN 

2. TTP ^ U : fs,A,B,L,abort 

ELSE 

3. TTP -^U : f 2 , fe, B, L, K, con.K, EOR.C 

If the exchange sub-protocol is executed successfully, B will receive C and 
K and thus M = dK{C) together with evidence of origin {EOO-C, EOO-K). 
Meanwhile, A will receive evidence of receipt {EOR-C, EOR-K). 

B can simply quit the transaction without losing fairness before sending 
EOR-C to A. Otherwise, B has to run the resolve sub-protocol to force a suc- 
cessful termination. Similarly, A can run the abort sub-protocol to quit the tran- 
saction without losing fairness before sending K and EOO-K to B. Otherwise, 
A has to run the resolve sub-protocol to force a successful termination. 

The resolve sub-protocol can be initiated either by T or by i?. When the 
TTP receives such a request, the TTP will first check the status of a transaction 
identified by {A, B, L) uniquely. If the transaction has been aborted by A, the 
TTP will return the abort token. If the transaction has already been resolved, 
the TTP will deliver the tuple (/ 2 , fe, A, B, L, K, con-K, EOR-C) to the current 
initiator of the resolve sub-protocol. Otherwise, the TTP will 

— check that EOR-C is consistent with sub-K in terms of L and EOO-C, 

— generate evidence con-K, 

— deliver the tuple (/ 2 , fe, A, B, L, K, con-K, EOR-C) to the current initiator, 

— set the status of the transaction resolved. 
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The third component in the tuple indicates the key supplier which is authenti- 
cated by the TTP with sub_K. Evidence con.K can be used to prove that 

— a transaction identified by {A, B, L) has been resolved successfully, 

— the message key K originated from A, and 

— the message key is available from the TTP by request. 

The time limit on maintaining the status of a transaction (resolved or abor- 
ted) by the TTP will be defined in the non-repudiation policy, which can be 
reasonably long enough (mainly depending on the TTP’s storage capability) so 
that both transacting parties are deemed to be able to consult the TTP within 
such a time limit to force a successful termination of a transaction when it is 
necessary. 

If disputes arise, A can use evidence (EOR-C, EOR-K) or (EOR-C, eori-K) 
to prove that B received the message M, B can use evidence (EOO.C, EOO.K) 
or (EOO.C, cori-K) to prove that A sent the message M. 

In comparison with the protocol in j5|, our protocol has the following merits. 

— The TTP’s overhead will not increase when transmitting a large message M. 

— The content of the message M need not be disclosed to any outsiders inclu- 
ding the TTP. 

— The evidence is publicly verifiable without any restrictions on the types of 
signature and encryption algorithms. 

Therefore, our protocol is more secure and efficient both at the stage of exchange 
and at the stage of dispute resolution. 



6 Conclusion 

Fair non-repudiation protocols can be constructed in two ways, by gradual 
exchange of the expected items, or by invoking the services of a (trusted) third 
party. The major defects of the first approach are 

— high computation and communication overheads, and 

— strong assumption on transacting partys’ equal computing power for fairness. 

Hence, recent research mainly focuses on the second approach. As the trusted 
third party may become a system bottleneck, a critical issue is how to minimize 
the trusted third party’s involvement in fair non-repudiation protocols. 

There are three major advances on the research along this direction. Early 
efforts were to make use of a light-weighted on-line trusted third party (e.g. a 
fair non-repudiation protocol in B3)- Later on, an off-line trusted third party 
was employed in fair non-repudiation protocols (e.g. in mm) but fairness may 
be destroyed when a time limit is imposed on a protocol run. The most recent 
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advance is to allow either transacting party to unilaterally bring a protocol run to 
completion without losing fairness with the assistance of an off-line trusted third 
party 0 ■ This paper presented a more secure and efficient fair non-repudiation 
protocol based on the ideas from rsm . An open problem is how to achieve fair 
non-repudiation without relying on the assumption of resilient communication 
channels between an off-line trusted third party and each transacting party. 
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Abstract. Formal specification on authorization in object oriented data- 
bases is becoming increasingly significant. However most of the work in 
this field suffers a lack of formal logic semantics to characterize different 
types of inheritance properties of authorization policies among complex 
data objects. In this paper, we propose a logic formalization specify ob- 
ject oriented databases together with authorization policies. Our forma- 
lization has a high level language structure to specify object oriented 
databases and allows various types of authorizations to be associated 
with. 

Key words: object oriented databases, inheritance, security, authoriza- 
tion policy, formal specification 



1 Introduction 



Authorization specification in object oriented databases is being increasingly 
investigated recently by many researchers |U4lf)l7| . However, most of the work 
suffers from a lack of formal logic semantics to characterize different types of in- 
heritance properties of authorization policies among complex data objects. Fur- 
thermore, it is also difficult to formally reason about authorizations associated 
with different objects in databases. 

In this paper, we address this issue from a formal logic point of view. We 
propose a logical language that has a clear and declarative semantics to specify 
the structural features of object oriented databases and authorizations associa- 
ted with complex data objects in databases. A direct advantage of this approach 
is that we can formally specify and reason about authorizations on data objects 
without loosing inheritance and abstraction features of object oriented databa- 
ses. We first propose a logical language for specifying object oriented databases. 
This language has a high level syntax and its semantics shares some features 
of Kifer dt.’s F-logic [3|- We then extend this language based on some features 
of our previous formal language for authorization specification fo include 
authorization into object oriented databases. 

The paper is organized as follows. In section 2, we propose a formal language 
£ to specify object oriented databases. In section 3, we extend C to language £“ 
by combining authorization specification associated with data objects into a da- 
tabase. In section 4, we investigate properties of reasoning about authorizations 
in object oriented databases. Finally section 5 concludes the paper. 
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2 Object Oriented Databases Specification 

The vocabulary of language C which is used to specify object oriented database 
consists of: 

1. A finite set of object variables OV = {o, Oi, 02 , ■ ■ ■} and a finite set of object 
constants OC = {O, Oi, O2, • • •}■ We will simply name O = OV VJ OC as 
object set. 

2. A finite set T of function symbols as object constructors or methods where 
each f G T takes objects as arguments and maps to an object or a set of 
objects. 

3. Auxiliary symbols and 

An object proposition is an expression of the form 

O has method /i(- • •) ^ TTi, 



y?n(* * *) 

/m+l(’ ■ ■) 



( 1 ) 

In (1^0 is an object from O and fi, ■ ■ ■ , fm, ■ ■ ■ , fn are function symbols (as 
object constructors). Each function symbol / takes objects as arguments and 
maps to some U that is an object or a set of objects. For example, the following 
is an object description of a staff: 

staff has method name => String, 
dept(Staff) String, 
firstdegree 1 — 1 ’Bachelor’, 

where name => String represents that the type of name is a string, and method 
dept takes type Staff as a parameter and returns a type of string to indicate 
the dept the staff belongs to. firstdegree — >■ ’Bachelor’ simply expresses that 
every staff should hold a Bachelor degree(a constant). An object proposition is 
called ground if there is no object variable occurrence in it. 

An isa proposition of C is an expression of one of the following two forms: 

O isa member of C, (2) 

O isa subclass of C, (3) 

where O and C are objects from O, i.e., O and C may be object constants or 
variables. Clearly, isa propositions (2) and (3) explicitly represent the hierarchy 
relation between two objects. An isa proposition without containing any object 
variables is called ground isa proposition. 
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We call an object or isa proposition a data proposition. A data proposition 
is called ground data proposition if there is no object variable occurrence in it. 
We usually use notation (j) to denote a data proposition. We assume that any 
variable occurrence in a data proposition is universally quantified. 

A constraint proposition is an expression of the form 



(f) ii (j)!,- ■■ ,(j)k, (4) 

while - ■ ■ ,4>k are data propositions. A constraint proposition represents 

some relationship among different data objects. With this kind of proposition, 
we can represent some useful deductive rules of the domain in our database. 
A database proposition is an object proposition, isa proposition, or constraint 
proposition. 

We can now formally define our object oriented database as follows. 

Definition 1. An object oriented database E is a triplet {F, A, f2), where F is 
a finite set of ground object propositions, A is a finite set of ground isa proposi- 
tions, and Q is a finite set of constraint propositions. 

Now, we generally explain the semantics of language £. Refer to [0 for the 
detailed semantics. 

A structure of £ is a tuple I = {U, Ti, Cy, =>/, (->•/), where U represents 
all possible actual objects in the domain. Fj is a set of functions. The objective 
of ordering Cy is to represent the semantics of isa subclass proposition in £. 
The semantics of isa membership proposition in £ is provided by in / in a 
similar way. 

The semantics of =^, however, is not quite straightforward. As we mentioned 
earlier, a method of the form /(• • •) 7T actually defines the function type of 
/. That is, / takes objects that represent types of actual objects and returns an 
object (or a set of objects) that indicates the type (or types) of resulting actual 
object (or objects). Suppose that / is a i-ary function. Then the semantics of 
^ is provided by mapping ' which maps the resulting object represented 
by /(••■) to a (j + l)-ary function hi : V f (U), where the first ith 

arguments in [7®+^ are objects that correspond to the i arguments taken by /, 
and the (j+ l)-th argument in is the object that corresponds to the object 
associated with function /(• • •) in the proposition (we also call the host object 
of /). In /(• ■ ^ FI, n denotes the type/types of resulting object/objects for 

which we use a subset of U to represent all the possible actual objects that have 
type/types indicated by 77. 

It is important to note that we require the subset of U to be upward-closed 
with respect to ordering Fy. A subset R of 77 is upward-closed if for v € V and 
V Qy v' , then v' G V. The purpose of this requirement is that if V is viewed as a 
set of classes, upward closure ensures that for each class v &V,V also contains 
all the superclasses of v, which will guarantee the proper inheritance property 
of types. 

A similar explanation for i— >■/ can be given for the semantics of i— >■. We now 
show that =>/ actually provides the type of the corresponding i— >/. 
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To simplify our formalization, we will use Herhrand universe in any structu- 
res of C. That is, the Herbrand universe Ur is formed from the set of all object 
constants in OC and the objects built by function symbols on these object con- 
stants. 

Now we can formally define the model of a database S as follows: 
Definition 2. A structure M of C is a model of a database E = (T, Z\, 17) if 

1. For each proposition tp in F U AU f2, M |=0'0- 

2. For each object proposition (f>, if M \= (p, then M \= (p' where cp' is obtained 
from (p by omitting some methods of <p. 

3. For any isa proposition O isa member of C and object propositions C has 
method /(•••) => FI and C has method /(•••) i— >■ FI , (1) M \= O isa 
member of C and M \= C has method /(•••) FI imply M \= O has 
method /(• • •) =;> FI; 

(2) M \= O isa member of C and M \= C has method /(• ■ ^ FI imply 

M \= O has method /(• ■ ^ U . 

4- for any isa proposition O isa subclass of C and object proposition C has 
method /(• ■ ^ FI , M O isa subclass of C and M \= C has method 

/(• • •) I— 77 imply M \= O has method /(• ■ ^ FI . 

Condition 1 in the above definition is the basic requirement for a model. Condi- 
tion 2 allows us to partially represent an object with only those methods that are 
of interest in a given context . Condition 3 is a restriction to guarantee necessary 
inheritance of membership, whereas Condition 4 is needed for the purpose of 
subclass value inheritance. 

Let 77 be a database and be a database proposition. If for every model M 
of 77, M 1= (p, we also call that cp is entailed by 77, denoted as S \= p. 

Example 1. Consider a simplified domain of staff in a department. The structure 
of such domain is illustrated in Figure 1. 

In Figure I, line arrows indicate subclass relations while dotted line arrows 
indicate membership relations in the database. 

Using our language £, our database 77 = {F, A, 12) is specified as follows: (1) 
the set of ground object propositions F consists of: 

Staff has method name => String, 

id => Integer, (5) 

GenStaff has method typeofwork{Staf f) => String, (6) 

AcadStaf f has method research{staf f) => {String, ■ ■ ■ , String} (7) 

Alice has method name i— >■ ’Alice’, 

id I— >■ 111, 

typeof w or k{ Alice) i— >■ ’Secretary’, (8) 
Bob has method name i— >■ ’Bob’, 
id I — y 222, 



^ Refer to P| for the formal definition of |=. 
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; Alice '/ 





; David ' 



Fig. 1. A staff database. 



typeofwork{Bob) i— >■ ’techsupport’, (9) 
Carl has method name i— >■ ’Carl’, 

id !->• 333, 

research{Carl) i— >■ ’security’, (10) 
David has method name i— >■ ’David’, 

id !->• 444, 

research{David) i— >• ’database’, (11) 



(2) the set of ground isa propositions A consists of: 

Alice isa member of CenStaf f, (12) 

Bob isa member of CenStaf f, (13) 

Carl isa member of AcadStaf f, (14) 

David isa member of AcadStaf f, (15) 

CenStaf f isa subclass of Staff, (16) 

AcadStaf f isa subclass of Staff, (17) 

and (3) Q consists of two constraint propositions: 



y isa member of AcadStaf f 
if y has method research{y) e- z, (18) 
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y isa member of Staff 

if y isa member of AcadStaf f, (19) 

where y and z are object variables, and notation ...} means that set 

{..., z, ...} includes element z which is of interest. 

In database S, we assume that objects Integer and String are primitive ob- 
ject constants and do not require explicit descriptions. It also presents necessary 
inheritance properties among different objects. 

Finally, in S, F and A represent explicit data object descriptions and hierar- 
chical relations among these objects, while 12 describes constraints of the domain 
which characterize some implicit data objects and their properties. By using 
these rules in F2 and facts in F U Z\, we actually can derive new data objects 
with some clear properties. 



3 Authorization Specification 

In this section, we extend language C to £“ to specify authorization in object- 
oriented databases. First let us consider the following requirements in the spe- 
cification of access policies in object oriented databases. 

1. If a subject (user) has an access right to a complete object (class), then this 
should imply that this subject has the same access right to every method of 
the object (class). There may be some exceptions. 

2. If a subject has an access right to a class, there may be a need that this 
subject should be generally allowed to access all of its subclasses. Again, some 
exceptions should be taken into account. For example, a general research 
officer can access all the research records of the class Staff except that of the 
class Professor. A similar requirement is also needed for memberships. 

3. causal or conditional authorization policies is also needed. 

The vocabulary of £“ includes the vocabulary of C together with the following 
additions: 

1. A finite set of subject variables 5V = {s, Si, S 2 , • • •} and a finite set of subject 
constants SC = {S', Si, S 2 , • • •}. We denote S — SV U SC. 

2. A finite set of access-rights variables AV = (r, ri, r 2 , • • •} and a finite set of 
access-right constants AC = |i?, R\, R 2 , ■ ■ •}. We denote A = AV U AC. 

3. A ternary predicate symbol holds taking arguments subject, access-right, 
and object/method respectively. 

4. Logic connectives A and -i. 

In language a fact that a subject S has access right R for object O is repre- 
sented using a ground atom holds{S, R,0). A fact that S has access right R for 
object O’s method /(• • •) ^ 7T is represented by ground atom holds{S, R, 0\f). 
We use for symbol =4> or 1 — >■. 
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In general, we define an access fact to be an atomic formula holds{s, r, o) (or 
holds{s,r,o\f)) or its negation. A ground access fact is an access fact without 
any variable occurrence. We view -<-<F as F. An access fact expression in £“ 
is defined as follows: (i) each access fact is an access fact expression; (ii) if if is 
an access fact expression and cf is an isa or object proposition, then A (() is an 
access fact expression; (iii) if if and <f are access fact expressions, then if A (f is 
an access fact expression. A ground fact expression is a fact expression with no 
variable occurrence in it. An access fact expression is pure if it does not have an 
isa proposition occurrence in it. 

Based on the above definition, the following are access fact expressions: 
holds{S, R, 0 ) A O isa subclass of C, ~'holds{S, R,o) A o isa member of C, 
where o is an object variable. 

Now we are ready to define propositions in language Firstly, £“ has the 
same types of database propositions as £, i.e. object proposition, isa proposition 
and constraint proposition. It also includes the following additional type of access 
proposition: 



if implies (f with absence 7 , ( 20 ) 

where if is an access fact expression, and (f and 7 are pure access fact expressions. 
Note that if, (f and 7 may contain variables. In this case, as before, (H) will be 
treated as a set of access propositions obtained by replacing if, (f and 7 with 
their ground instances respectively. 

As an example, consider the following access proposition 

holds{S, Access, Staf f\id) A Alice isa member of Staff 
implies holds{S, Access, Alice\id) 
with absence ~'holds{S, Access, Alice\id), 

Intuitively, this expression says that if subject S can access staff’s id record 
and Alice is a member of staff, then S can also access Alice’s id record if the 
fact that S cannot access Alice’s id record does not currently hold. 

It is clear that our access propositions (20) provides flexibility to express dif- 
ferent types of authorization policies on objects. However, to ensure the proper 
inheritance of access policies on different objects, some specific types of access 
policies are particularly important for all databases. The set of these kinds of 
authorization policies is referred to as the generic authorization scheme for da- 
tabases. Consider 



holds{s,r,o) implies holds{s,r,o\f) 

with absence -i/ioZds(s, r, o|/). (21) 

where o\f indicates a method associated with object o. Intuitively, 12 111 says that 
if s has access right r on object o, then s also has access right r on each of its 
methods under the assumption that -<holds{s,r,o\f) is not present. 
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We also have the following two generic access propositions: 



holds{s, r,c) A o isa subclass of c 
implies holds{s,r,o) 
with absence ~'holds{s,r, o), 



( 22 ) 



and 



holds{s, r, c\f) A o isa subclass of c 
implies holds{s,r,o\f) 
with absence ~'holds{s,r,o\f). 



(23) 



(j22|) and I|2,SI1 guarantee the proper inheritance of access policies on subclasses. 

Finally, the following two propositions ensure the membership inheritance of 
access policies. 



Now we can formally define our database with associated authorizations as 
follows. We will refer to this kind of database as extended object oriented data- 
base. 

Definition 3. An extended object oriented database in £“ is a pair A = {E, S), 
where S = (F, A, 17) is the database as defined in Definition 1, and S = GA U 
A is an authorization description on E where GA is a collection of generic 
authorization propositions mi) - US), and A is a finite set of user-defined access 
propositions. 

The definition of the model of the extended object oriented database is similar 
to the definition of the model of the object oriented database except that the 
access propositions have been taken into account. Refer to 0 for formal and 
detailed definitions and explanation. 

Taking default access proposition into account, it turns out that the models 
of an extended object oriented database may not be unique. This is shown by 
the following example. 

Example 2. Given an extended database A = (E,S), where E is the staff da- 
tabase defined in Example 1, and S = GA U A, where A is a collection of the 



holds{s,r,c) A o isa member of c 
implies holds{s,r,o) 
with absence ~'holds{s,r,o), 



(24) 



and 



holds{s,r,c\f) A o isa member of c 
implies holds{s,r,o\f) 
with absence ~'holds{s,r,o\f). 



(25) 
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following access propositions: 



holds{S, Own, Bob), 



(26) 



holds(S,Own,o) implies holds{S, Update, o) 



with absence ~'holds{S, Update, o), 
holds{S,Own,o) implies ->holds{S, Update, o) 



(27) 



with absence holds{S, Update, o). 



(28) 



(26) simply says that the user S owns object Bob in the database. (27) expresses 
that if S owns an object o, then S will be able to update this object under the 
absence of the fact that S cannot update o, whereas H28I1 states that if S owns 
an object o, then S will not be able to update this object under the absence of 
the fact that S can update o. 

Clearly, (27) and (1281) override each other. It follows that A has two different 
models and I 2 such that 

11 \=x holds{S, Update, Bob) and 

1 2 \=\ -'holds^S, Update, Bob). 

4 Reasoning abont Authorizations 

In this section, we investigate some properties on the inheritance of authorizati- 
ons on objects in database. Due to space limit, we cannot provide comprehensive 
definitions, explanation and examples in here. We just give some theorems to 
conclude the properties on the inheritance of authorizations. 

An extended database may have more than one model. In this case, every 
model actually represents one possible interpretation for the database with as- 
sociated authorizations. However, a class of extended databases having unique 
models presents some interesting inheritance properties of authorizations with 
respect to subclass and membership relationships among objects in databases. 
An extended database is well- specified if it has a unique model. 

Theorem 1. (^Subclass Authorization Inheritance^ Let A be a well-specified 
extended database and S, R, C and O are arbitrary subject constant, access right 
constant and object constants respectively. Then the following results hold. 

(i) If A \=x holds{S,R,C) A O isa subclass of C and A -^holds{S,R,0), 
then A \=\ holds{S,R,0). 

(ii) If A \=x holds{S, R, C\f)AO isa subclass of C and A ^x -<holds{S, R, 0\f), 
then A \=x holds{S, R,0\f). 

Theorem 2. (Membership Authorization Inheritance^ Let A he a well- 
specified complex database, and S , R, C and O are arbitrary subject constant, 
access right constant and object constants respectively. Then the following results 
hold. 
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(i) If A \=x holds{S,R,C) A O isa member of C and A -iholds{S, R,0) , 
then A \=\ holds{S^ R,0). 

(ii) If A \=x holds{S, R, C\f)AO isa member of C and A ^x ~'holds{S, R, 0\f), 
then A \=x holds{S^ R,0\f). 

The above two theorems directly follow from generic authorization scheme 
(|?T|) - The following two theorems, on the other hand, represent that these 
subclass and membership authorization inheritance can be overridden such that 
the consistency of authorizations can be maintained. 

Theorem 3. ^Overriding of Subclass Authorization Inheritance^ Let A 

be a well- specified complex database, and S, R, C and O are arbitrary subject 
constant, access right constant and object constants respectively. Then the follo- 
wing results hold. 

(i) If A \=x holds{S,R,C) A O isa subclass of C and A Y=\ holds{S,R,0), 
then A \=x ~'holds{S, R,0). 

(ii) If A \=x holds{S, R, C\f)AO isa subclass of C and A holds{S, R, 0\f), 
then A \=x ~^holds{S, R, 0\f). 

Theorem 4. (^Overriding of Membership Authorization Inheritance^ 

Let A be a well- specified complex database, and S, R, C and O are arbitrary 
subject constant, access right constant and object constants respectively. Then 
the following results hold. 

(i) If A \=x holds{S,R,C) A O isa member of C and A ^x holds{S,R,0), 
then A \=x ->holds{S, R, O). 

(ii) If A \=x holds{S, R,C\f)AO isa member of C and A ^x holds{S, R,0\f), 
then A \=x ~^holds{S, R, 0\f). 

For example, in a well-specified complex database A, A l=x holds{Anne, 
Update, Staf f\record) and GenStaf f and AcadStaf f are subclasses of Staff. 
If neither -•holds{Anne, Update, GenStaf f\record) nor -•holds{Anne, Update, 
AcadStaf f\record) are entailed by A, from Theorem 1, we can get that holds 
{Anne, Update, GenStaf f\record) and holds{Anne, Update, AcadStaf f\record). 



5 Conclusions 

In this paper, we have proposed a logical formalization for specifying authoriza- 
tions in object oriented databases. Our work consisted of two steps: the first step 
involved a formal language £ to formalize object oriented databases. We provi- 
ded a high level language to specify an object oriented database and defined a 
precise semantics for it. Our semantics of £ shares some features of Kifer elt.’s 
F-logic for specifying object oriented databases. But our database specification 
is more succinct and intuitive, and hence it has been possible to extend this by 
combining it with authorization structures. The second step was to extend £ to 
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language by representing different types of authorizations in the database. 

It has been shown that the types of authorizations in our formalism are quite 

flexible and can be used to reason about complex authorizations compared with 

other approaches. 
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Abstract. Access control in real systems is implemented using one or 
more abstractions based on the access control matrix (ACM). The most 
common abstractions are access control lists (ACLs) and capabilities. In 
this paper, we consider an extended Harrison-Ruzzo-Ullman (HRU) mo- 
del to make some formal observations about capability systems versus 
access control list based systems. This analysis makes the characteristics 
of these types of access control mechanisms more explicit and is intended 
to provide a better understanding of their use. A combined model pro- 
viding the flexibility of capabilities with the simplicity of the ACL and 
its relation to other models proposed earlier (e.g. are discussed. 

1 Introduction 

Security is an important consideration for computer systems due to the quantity 
and sensitivity of information stored in them. Defining who has access, and to 
what extent, to this information is an important security function, variously 
known as authorisation or access control. The basic model of access control is 
the access control matrix (ACM) m and current access control implementations 
are predominantly based on models directly drawn from the ACM model. The 
essential information contained in an ACM is: 

• The identity of subjects (e.g. users, etc.). 

• The identity of objects (e.g. files, etc.). 

• The access rights each subject has for each object. 

It is unwieldy to implement the ACM model directly due to the potential number 
of entries in the matrix. Also, most subjects will have no access to most objects so 
that many of the entries in the matrix will be empty. The well-known drawbacks 
of the ACM model (including, but not limited to, implementation efficiency) 
mean that it is not directly used in practice. Access control in actual systems is 
implemented by employing one or more abstractions based (more or less directly) 
on the ACM. These include: 

• Access control lists (ACLs). 

• Capabilities 0|. 
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• Roles [Ml . 

• Lattice based access control H3- 

The ACM model is discussed in formal terms in Sect. El Discussion of the more 
popular models will be based upon the formalisations of the ACM model. 

Of the abstractions listed above, ACLs and capabilities are currently the 
most common forms of access control (with implementations of ACLs being far 
more common than those of capabilities). ACLs and capabilities are very directly 
based upon the ACM. While other mechanisms, such as roles and lattice based 
access control, are related to the ACM, it is a less direct relationship. In some 
sense ACLs and capabilities represent the rows and columns of the ACM. 

One of the primary reasons for the popularity of ACLs over capabilities is 
that many early implementations of capabilities had efficiency problems 0, alt- 
hough more recent ones, such as that for Grasshopper E| , have addressed several 
of these problems. Perhaps more significantly, there are certain situations where 
capabilities demonstrate drawbacks when compared with ACLs. These are dis- 
cussed in Sect. El That there are problems with capabilities should come as no 
surprise. While ACLs explicitly hold all the information held in the ACM (sub- 
ject identity, object identity, access rights), “pure” capabilities do not explicitly 
hold subject identity. This information is implicitly held, it being represented 
by whichever subjects can access the capability. This is less than entirely sa- 
tisfactory, as it can be difficult to track exactly which users have access to an 
object. However, nowadays several ticket based access control schemes, such as 
DCE and Sesame [ 3 ] include subject identity as part of the ticket structure. 

Conversely capabilities can have certain advantages, in terms of flexibility, 
over ACLs. For example, with capabilities it is straightforward to give a particu- 
lar user different types of access to an object. The user can simply be provided 
with multiple capabilities for the object, each capability specifying a different 
type of access. Providing multiple types of access can be useful for such purposes 
as sandboxing and delegation. Consider, for instance, access control in an object 
oriented system where access to an object is specified in terms of the methods 
that can be accessed in the object interface. Here we may give a user access to 
the object’s total interface whereas different processes used by the same user 
may be given access to only subsets of the interface. Such a facility tends to be 
more difficult to achieve with ACLs. With ACLs a user is typically granted a 
single level of access to an object, regardless of how many ways they have of 
reaching that object. Problems with ACLs are noted in Sect. El 

In this paper, we consider an extended Harrison-Ruzzo-Ullman (HRU) model 
to make some formal observations about capability systems vs. access control list 
based systems. This analysis makes the characteristics of these types of access 
control mechanisms more explicit and is intended to provide a better understan- 
ding of their use. Based upon the models and analysis presented we consider a 
combined model for access control implementations. It attempts to preserve the 
simplicity of ACLs and capabilities when compared to other methods of access 
control in actual use. This is essentially due to it preserving the more direct rela- 
tionship that ACLs and capabilities have with the ACM when compared to other 



An Analysis of Access Control Models 283 



approaches. The modified model can be used as the basis of implementations of 
either ACLs or capabilities. This should result in systems which combine the 
current advantages of both ACLs and capabilities, while offering no less security 
than currently provided by such systems. We also discuss how this combined 
model compares with other such models proposed earlier (e.g. HSIl). 

2 A Basis for Formal Models of Access Control 

HRU suggested a definition of a protection system based on an access matrix [3, 
following Lampson mi- It is commonly suggested that the columns of this ma- 
trix, viewed in isolation, form access lists and the rows form capability lists (such 
as those described in |3|). HRU’s model was primarily intended to make theore- 
tical arguments about complexity issues in the analysis of rights propagation in 
authorization systems. Our objective is to make some formal observations about 
capability vs. ACL systems, hence for the purposes of our discussion, we require 
a base model which is an extension of HRU that is capable of describing systems 
without an access matrix. We therefore suggest the following definition: 

A protection system consists of 

1. A finite set of generic rights rQ 

2. A set of objects O. 

3. A set of subjects S such that SCO. 

4. A set of data available in the environment E of the system. The environment 
is controlled by the system (i.e. it is secure). 

The present state of the protection system is defined by the values of O, S 
and E. Changes in the state are modeled by 

5. A set C of commands of the form 

commEind a{Xi, X 2 , ■ ■ ■ , X^.) 
if ri in {Xsi.Xoi) and 

Cm fCL (Aigmi^om) 

then 

opi 



OPn 

end 

Here a is a name and Xi . . . Ai^ are formal parameters each of which refer to 
either a subject or object. Let (Xs,Xo) be defined as the rights subject Xg 
holds for object Xo |Hl page 463], which will be represented differently in each 
model we discuss. We allow the use of more complex conditions than the simple 
[r in (Xs, Xo)] to more accurately represent the behaviour of some models. Each 
opi is one of the primitive operations in Tab. 0 Formal definitions of the effects 
of each operation can be found in . 



1 



For example, the set R for the Unix filesystem would be read, write, execute 
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Table 1. The primitive operations available to the commands in C 



enter r into {Xa,Xo) 
create object Xo 
create subject Xs 



delete r from {Xa,Xo) 
destroy object Xo 
destroy subject Xg 



6. A logical function / which is true iff an operation should be permitted. 

The function formally represents the manner in which the model is used 
to determine if an operation should be permitted. It will typically involve two 
variables that depend on the access control model under consideration. The first, 
op, represents the desired operation. We are concerned not with the effect of the 
operation but with the rights it requires, and we do not wish to rule out the 
possibility that an operation may require multiple rights, thus we will treat op 
as a subset of R. The second argument somehow represents the object on which 
the operation is to be performed. Note that both the arguments are supplied by 
the subject, any information / requires from the system must be available in E. 

A model of access control must specify E, C and / and may specify some or 
all of R. An implementation of such a model must fully specify R, O and S in 
addition to E, C and /. Using this basis we may define the ACM model as 

Ml. R contains the generic right own.0Note that R is not fully defined here. 
M2. E contains 

s the identity of the subject on whose behalf the system is running (s G S) 
P a matrix with a row for each subject and column for each object. P[s,o] 
is a (possibly empty) subset of R containing the rights subject s holds 
for object o. 

M3. The set of commands C is shown in Tab. EfI 

The commands for creating or destroying subjects are similar to CREATE 
and DESTROY for objects in Tab. 0 

M4. The function /(s, op, o) := op C P[s, o]. 

We implicitly assume that the system is more trustworthy than the subject, 
hence the information like subject identity in the function comes from the 
system controlled environment E. 

The ACM model is never implemented practically, since for any real system 
the matrix would be too large and sparse to maintain efficiently. Apart from 
these problems of implementation efficiency, the ACM has a number of other 
problems. Note from (M2) above, the definition of P, that there is only one set 

^ The own right controls access to commands. Space does not permit discussion of 
other methods of achieving this. 

® Note that there are separate CONFER and REMOVE commands for each r £ R, 
since the formal parameters to each command can only identify an object or subject. 
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Table 2. The set C of commands for the access control matrix model 



command CREATE(obj) 
create object obj 
enter own into P[s, obj] 

end 

command CONFERr{friend, obj) 
if own in P[s, obj] then 
enter r into P[friend, obj] 

end 

commEmd C H OW N (new , obj) 
if own in P[s, obj] then 
delete own from P[s,obj] 
enter own into P]new, obj] 

end 



command DESTROY (obj) 
if own in P[s, obj] then 
destroy object obj 

end 

command REMOVEr {enemy, obj) 
if own in P[s, obj] then 

delete r from P[enemy, obj] 

end 



of rights for each [s,o] pair. In this model we cannot provide multiple levels of 
access to an object for a particular subject. It could be argued that multiple 
subjects could correspond to a single real world user. This idea has some merit 
but there is nothing in the above model which relates members of the set S to 
each other. The ACM model could be extended in this direction, treating each 
subject as a protection domain with real world users corresponding to a number 
of protection domains. However, this has some problems in terms of flexibility 
as each subject would have a relatively fixed set of access rights. Nevertheless, 
there has been work which relates multiple members of S' to a single user within 
the HRU context. Finally, the ACM is difficult to incorporate into the type 
systems of programming languages, due to its size. The advantages of being able 
to directly manipulate access control information in a programming language 
can be seen in various database and capability systems. 

3 The Access Control List Model 

Informally, ACLs can be described as a system where the access control infor- 
mation for an object is stored with the object. This avoids the need to maintain 
a large, sparse matrix. Having no central point holding all access control infor- 
mation improves efficiency. Most implementations of ACLs do not store an entry 
for each user with the object, or even for every user that actually has some level 
of access to the object, but will use some mechanism, for example groups, to 
limit the amount of information to be stored. 

ACLs tend to either be inflexible, as in the short, three entry lists used by 
Unix which restrict the access control policies that can be implemented, or hard 
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to manage, as in the large and dynamic lists used by Windows NT4. These 
problems arise from the necessity of holding all access rights combinations for a 
particular object in a single structure. ACLs inherit the limitation of only one 
set of riglrte per subject-object pair from the ACM. The discussion of this issue 
in Sect. Zalso applies here. Also, it would be difficult for such a model to be 
integrated into programming language type systems. While such an undertaking 
is not impossible, observation demonstrates that it is rarely, if ever, carried out. 
This is possibly due to the ACLs being (at least conceptually) stored in the 
filesystem with the object protected, rather than in the data area of a process. 
If ACLs were part of the type system of a language, as a first class data type, 
then manipulating objects and associated protection policies within code become 
straightforward operations. Such operations could be subjected to safeguards 
applied to other operations within a language, such as type-checking (by the 
compiler and at runtime, as appropriate). 

3.1 Groups 

Before we can give a complete formalisation of the ACL model, it is necessary to 
provide a formalisation of the concept of groups. Some access control systems, for 
example Unix, include the concept of groups of subjects to which access rights 
may be granted. We may formalise the concept as follows: 

Gl. There exist subsets of S called groups. Let the set of these groups be G. 
G2. In many systems there is a world group W G G consisting of all subjects. 
G3. For every subject s £ S' let 7^, C G denote the set {g | g G G A s £ 5}. 
Thus 7s is the set of all groups in which s is a member. As the world group 
consists of all subjects, every subject is a member of at least that group, if 
no others, and therefore 7s is not empty for any subject. 

G4. To the matrix P defined in (M2) we add a row for each group. This means 
that P has a row for each s £ S and each g G G. 



3.2 A Gomplete Model for Access Gontrol Lists 

Given a definition of groups we may now give a complete model for access con- 
trol lists. In this model the list associated with each object may contain an entry 
for each subject and for each group which exists in the system. An operation is 
allowed if the required right is present in the list either in the subject’s entry or 
in the entry for any of the groups of which the subject is a member. A different 
interpretation of groups presumes that the rights of a subject’s groups are con- 
sidered iff the rights of the subject are not specified. This second interpretation 
is used in the Unix filesystem. 

LI. R is as in (Ml). 

L2. E contains 
s as in (M2). 

W as described in (G2). 



An Analysis of Access Control Models 287 



7s as described in (G3). 

lo the set {s H> /9 I s G S' A p = P[s, o]} U {p i-A p | p G G A p = P[s, o]} for 
each o G O. 

L3. C contains the commands in Tab. 27but with loi,j [s] substituted for P[s, obj], 
L4. /(op, o) := (op C lo[s]) V 3g[{g G 7 «) A {op C G[ 



Groups give added flexibility as, for example, altering access to a particular 
object for a group requires updating a single entry, rather than the entry for 
each user. They also allow the amount of informatieri held in each list to be 
reduced. However, the problems identified in Sect, znave still not been fully 
addressed. While different levels of access to a particular object can apparently 
be provided to a single subject (by using different group entries), in the above 
model the subject has rights which are the union of all entries (primarily due 
to the ‘or’ in (L4)). The list has dynamic length and a complicated structure, 
making it difficult to use with a programming language. 



4 Capabilities 






Gapabilities were first proposed by Dennis and Van Horn [3^ Since ( jl|C|i Ijpciy i 
been a number of attempts to implement and/or refine them [1,2,12,1(1,0, 

' A capability (in its basic form) consists of a reference to and a set of rights 
for an object. The essential aspect of capabilities is that each object, rights pair 
is considered a separate entity. With AGLs each subject, rights pair is considered 
an integral part of the list. There is nothing inherent in the concept of storing 
access control information with the object to which it applies that prohibits the 
treatment of each subject, rights pair as a separate entity. However, this is notn 
done for existing models and implementations, as can be gathered from Sect, ih 
Any subject possessing or able to reference a capability may use it to access the 
object identified within it, subject to the rights stored in the capability. The 
major advantages of capabilities when compared to AGLs are: 



• It is easier to provide a user with multiple levels of access to an object. 

• They integrate more easily into the type systems of programming languages. 

• Naming and protection mechanisms can be unified. 

These advantages derive directly from the treatment of each object, rights 
pair as a separate entity. As the structure of a capability is much simpler than an 
AGL (even the limited form provided by Unix), they are more readily adaptable 
to the needs of programming languages. Even with some capability implemen- 
tations which have a more complicated structure for capabilities, the conceptual 
storage of capabilities with the subject makes it more appealing to store them in 
the data areas of the subject’s processes. As a capability contains a reference to 
the object protected, the capability can be directly used to reference the object. 
This unifies the naming and protection mechanisms. 
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4.1 A Basic Capability Model 

We may formulate a basic capability model in the following manner 

BCl. There exist pairs (o, p) in the system called capabilities. Let o be an object 
reference and p a set of rights. Possession of a capability permits access to 
the object to which it refers. 

BC2. R contains the rights {destroy, write, read, derive, confer, renew}. Note 
that R is not fully defined here. 

The rights in R define the permissions which the holder of a capability has to 
the object to which the capability refers and to the capability itself. The destroy 
right allows destruction of the object to which the capability refers, write allows 
writing and read allows a capability to be read from the object. The derive 
right allows a new capability to be derived from this one, confer permits the 
capability to be given to another and renew permits the holder of the capability 
to revoke all capabilities to the object. Another way of achieving the same result 
would be to replace some or all of the rights in R with a single right own. 

BC3. E contains 

e the identity of the current unit of execution (e.g. process, thread, locus 
etc.). This ‘unit of execution’ forms a kind of restricted subject, hence 
e G S C O. A user may have many such ‘restricted subjects’. 
pd the Protection Domain in which we are currently executing (jpd G O). 
This is not the equivalent of subject identity since many subjects may 
have access to a single protection domain and a single subject may have 
access to many protection domains. 

Cle the set of capabilities possessed by e G S' C O. There are a number of 
ways this list may be implemented, i-fl 
BC4. C contains the commands in Tafen 3.“^ The capabilities which may be 
presented to the commands in Tab. ifare those in Cle and Clpd- 

Note that not all commands in Tab. ifire available in all capability systems. 
The DESTROY command has the effect of rendering all capabilities to the 
destroyed object invalid. The RENEW command renders all capabilities to 
the renewed object, except {o,p)', invalid. The ACQUIRE command reads a 
capability from an object into the capability list of the current subject. 

BC5. The function f{op, (o,p)) := {op Q p) t\ {{o,p) G Cle U Clpd) 

Hence the result of / is dependent on both the capabilities in CQ and system 
changes to Clpd- 

The most serious flaw with pure capabilities derives from a readily observable 
property of (BC5). Unlike the equivalent function for ACLs, the access control 
function for capabilities does not explicitly employ the identity of the subject. 

Note that the formal parameters to the commands in Tab. 3 are capabilities, which 
are valid object (and subject) identifiers. 
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Table 3 . The set C of commands for a basic capability system 



command CREATE{{o,p)) 
create object o 
enter (o, p) into Cle 
end 



command DESTROY{[o, p)) 
if f {destroy , {o, p)) then 
destroy object o 

end 



command REN EW{{o, p)) 
if f {renew, {o, p)) then 
enter (o, p) into CE 

end 



command ACQU IRE{{o\, pi), {02, P2}) 
if f{read,{oi,pi)) and 
{o 2 ,p 2 ) in Cloi 
then 

enter {02,P2) into CE 

end 



command DERIV E{(o, pi), (o, P2)) command CON EER{{o\, p\), {o\, P2), {02, ps)) 

if f {derive, {o, pi)) and if f {confer , {oi , pi)) and 

P2 C pi f {write, {02, pz)) and 

then p2 C pi 

enter (o, P2) into CE then 

end enter (oi,p2) into CE2 

end 



This information is implicitly derived from the identity of the subject attempting 
access. It is assumed that if the subject can reference the capability then they are 
entitled to the access it embodies. This may not be the intention of the entity 
entrusted with formulating the security policy for the object. A well known 
problem with capabilities (in their basic form) is that there is no elegant way of 
tracking the propagation of capabilities or revoking them once they have been 
propagated. However, there are various proposals forriiandling revocation, such 
as the capability hierarchies proposed by Anderson 



4.2 Revocation with Capability Hierarchies 

A capability model with capability hierarchies can be formalised as follows: 

CHI. To the environment E in (BC2) we add 

Cho The hierarchy of capabilities for each object o £ O. Let Cho[{o,p)] 
denote the subhierarchy consisting (o, p) and its children. 

CH2. to the CREATE command in Tab. 3add the line enter (o, R) into Cho 

CHS. to the DESTROY command add destroy Cho 

CH4. to RENEW add destroy Cho', enter {o, p)' into Cho 

CHS. to DERIVE add enter (o, P 2 ) into Cho 

CH6. add the command 
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commaind REVOKE{{o, p)) 
if revoke in p then 
destroy Cho[{o, p)] 

end 

CH7. The function 

f{op, (o, p)) := {op C p) A ((o, p) e Cle U Clpd) A ((o, p) € Cho) 

While the capability hierarchy allows inspection of existing capabilities and 
their selective revocation, it provides no means for determining which subjects 
have access to a given capability. In this sense, revocation must work in an 
essentially ‘blind’ fashion. Any attempt to deny a particular subject access to 
an object is difficult at best, as it cannot be determined in any straightforward 
manner which capabilities the subject can reference. Capability implementations 
with a hierarchy essentially have all the problems of the basic capability model. 

5 Discussion 

To this point we have identified problems with each model discussed. The matrix 
model was difficult to implement due to its size and sparsity. It is difficult to 
provide multiple types of access for a single user, though this can be achieved 
by associating multiple subjects with each user. Further it is difficult, due to its 
size, to incorporate it into the type systems of programming languages. 

Access control lists go some way to remedying these problems, by providing a 
more efficient implementation, and incorporating concepts such as groups to limit 
the amount of data to be stored. Nevertheless, ACLs are difficult to incorporate 
into the type systems of programming languages. 

Capabilities also provide a more efficient means of implementing the ACM. 
Further their relatively simple structure enables them to be incorporated into 
the type systems of programming languages. However, the lack of consideration 
of subject identity in pure capability systems makes selective revocation difficult 
and the task of computing which subjects can access a given object intractable. 
Even when combined with Anderson’s hierarchies it is difficult to track which 
subjects can access a given object and revocation must be done in a ‘blind’ 
fashion, without a full appreciation of which subject’s access has been revoked. 

It appears that the problems in the capability model are avoided by ACLs due 
to their consideration of subject identity. Conversely by attaching capabilities 
to the units of execution (rather than directly to subjects) the capability model 
is able to grant differing levels of access to different subjects — something not 
achieved in the generally employed ACL systems. In the following section we 
discuss a model which employs subject identity and allows multiple types of 
access to an object for a given user while avoiding the problems identified above. 

Others have observed tke-pdvantages of combining ACLs with capabilities, 
such as Karger and Gong [1 U,dJ. Karger’s SCAP system essentially makes capa- 
bilities the cached results of ACL lookups. Whilst this overcomes the security 
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Table 4. The ADDSBJ and DELSBJ commands for capabilities with users 



command ADDSBJ((o, pi, ai), 

(o, p 2 ,cr 2 ), friend) 
if fiadduser, {o, pi, ai)) and 
{o,p 2 ,cF 2 ) in Cha[{o,pl,(Jl)] 

then 

enter friend into CT 2 

end 



command DELUSER((o, pi,ai), 
(o, p 2 , (72), enemy) 
if f{deluser, (o,pi,ai)) and 
{o,p2,(72) in Cho[{o, pi,ai)] 
then 

delete enemy from (J 2 

end 



problems with capabilities, it does so at the expense of their superior flexibility. 
Gong envisions an exception list attached to each object, listing those subjects 
whose capabilities for that object have been revoked, but such a system also 
sacrifices the flexibility of capabilities. Both authors appeal to the inability of 
capabilities to provide a means of tracing which users have access to a given 
object as justification for combining them with ACLs, but neither identifies the 
fundamental defect in the capability model which is the cause of this problem. 



6 A Combined Model 



In order to employ sub j co t identity in the capability model, we take the hierar- 
chical model of Sect. 4.2 and make each capability a triple consisting of object 
identity, rights and a set of subjects allowed to use the capability. Then 

51. To R we add {addsbj, delsbj}. 

52. To E we add s as in (M2). m 

53. To C we add the commands in Tab. T 

54. CREATE enters (o, i?, {s}) into both Clpd and Cho 

55. DERIVE enters (o, p 2 ,{s}) into both Clpd and Cho 

56. CONEER enters s into the user set for the (oi,p 2 ) capability. 

57. The function 



f{op, (o, p, cr)) := {op C p)A((o, p, a) G ClAlClpd)A{{o, p, a) G Cho)A{s G a) 

This solution provides a convenient method of tracking which subjects have 
access to a given object, by searching the subject sets of the capability hierarchy 
of that object. Furthermore, revocation of an individual subject’s rights can be 
achieved by removing them from the subjects set of the relevant capability. Fi- 
nally, sets have already been incorporated into the type systems of programming 
languages, and thus should not pose a problem in incorporating capabilities into 
those type systems. 

It is also possible to extend the flexibility of an ACL system by incorpora- 
ting a modified form pe^ he ‘restricted subject’ and ‘protection domain’ concepts 
introduced in Sect. 4.1 into an ACL system. By creating a number of restricted 
subjects for each normal subject then allowing an ACL to contain entries for 
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the restricted subjects, a normal subject can cause a unit of execution to run 
on behalf of one of the restricted subjects, thereby giving the normal subject 
multiple types of access to a single object. In this case, the concepts of ‘restric- 
ted subject’ and ‘protection domain’ have been combined. Whilst this addition 
provides some of the flexibility of the capability model to ACLs, it does not make 
the incorporation of ACLs into the type systems of programming languages any 
easier. Indeed, it is this difficulty which prevents us from transferring the ‘re- 
stricted subject’ and ‘protection domain’ concepts directly. This would require 
entries in some ACLs for units of execution, which are created and destroyed 
too quickly for this to be practical. The ability of units of execution to contain 
embedded capabilities effectively reduces this problem in capability systems. 
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Abstract. A method is proposed that allows each individual party to an elliptic 
curve cryptosystem to quickly determine its own unique pair of finite field and 
WeierstraB equation, in such a way that the resulting pair provides adequate 
security. Although the choice of WeierstraB equations allowed by this proposal 
is limited, the number of possible finite fields is unlimited. The proposed 
method allows each participant to select its elliptic curve cryptosystem 
parameters in such a way that the security is not affected by attacks on any 
other participant, unless unanticipated progress is made affecting the security 
for a particular WeierstraB equation irrespective of the underlying finite field. 
Thus the proposal provides more security than elliptic curve cryptosystems 
where all participants share the same WeierstraB equation and finite field. It 
also offers much faster and less complicated parameter initialization than 
elliptic curve cryptosystems where each participant randomly selects its own 
unique WeierstraB equation and thus has to solve the cumbersome point 
counting problem. 



1 Introduction 

Elliptic curve cryptosystems come in many different flavors. However, they all have 
the following in common: a point of high prime order in the group of points of an 
elliptic curve over a finite field. In this paper, let Fp denote the finite field (of 
cardinality p for a prime power p), let E be an equation defining the elliptic curve over 
Fp, let E(Fp) be the group of points of that elliptic curve over Fp, and let Q be the point 
of high prime order q in E(Fp). In some elliptic curve cryptosystems all participants 
share the elliptic curve data (Fp,E,Q,q), in others each participant selects its own curve 
data. In this paper these systems are referred to as shared and non-shared systems, 
respectively. 

In either case, given shared or non-shared curve data, each participant selects 
its own private key and computes the corresponding public key in the following 
manner: party A selects a random positive integer mA < q and computes the point Ga 
= mA» Q in E(Fp) (with • denoting scalar multiplication in E(Fp)). In a shared curve 
system the public key of party A consists of Ga, with (Fp,E,Q,q) implicitly defined as 
system wide constants and presumably determined beforehand by a central authority. 
In a non-shared system A’s public key consists of (Fp,E,Q,q,GA), with (Fp,E,Q,q) 
unique to party A, and therefore more appropriately referred to as (Fp(A),EA,QA,qA)- In 
both systems A’s private key consists of the integer mA- 
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Shared and non-shared systems have their own advantages and disadvantages. An 
advantage of shared systems is that the part of A’s public key data that is unique to A 
consists of just Ga instead of the five-tuple (Fp(A),EA,QA,qA,CjA), which facilitates key 
certification and communication set-up. Another advantage of the shared approach is 
that, since the computation involved in determining the curve data (Fp,E,Q,q) has 
been carried out beforehand by a central authority, none of the parties has to perform 
complicated or lengthy computations to generate their private and public keys: 
selecting a random integer and performing a scalar multiplication in E(Fp) suffices. 
Key generation in a non-shared system may be quite involved: if party A picks finite 
fields and curve equations at random, highly non-trivial counting techniques have to 
be employed to check if an appropriate point of high prime order exists. These are 
probably the reasons why most elliptic curve cryptosystem proposals these days are 
shared systems. 

Non-shared systems may, however, be preferable if security and not 
efficiency is the top-priority. In a shared system, it is conceivable that an attack on 
one participant’s public key affects some other participant’s security as well, in 
particular if an index calculus type attack against elliptic curve cryptosystems would 
be found. In such attacks individual problems often become relatively easy once an 
initial database has been built. With the current state of the art of methods to solve the 
discrete logarithm problem in groups of elliptic curves, however, data generated to 
attack a particular non-shared public key have no effect at all on the security of any 
other non-shared public key. This is the case even if only the underlying finite fields 
are different but the curve equation remains the same. 

In this paper a non-shared system is proposed for which the public key data 
is relatively short and can easily be constructed by each participant, and such that an 
attack on one participant does not affect the security of any other participant. Thus the 
proposal combines the advantages of the more traditional shared and non-shared 
systems, without having any of their disadvantages. The WeierstraB models used in 
this proposal are not new. At least one of them even goes back to Gauss. Also, their 
application to elliptic curve cryptosystems has been proposed before, e.g. [3: page 
158]. What is new, however, is the way each party uses its identity to select an 
appropriate elliptic curve (i.e., a WeierstraB model and a finite field Ep) and a suitable 
point of high order, and how other users reconstruct that party’s public key data based 
on the same identity and a small number of additional bits. 

The paper is organized as follows. In Section 2 the theoretical background is 
reviewed, in Section 3 the new non-shared elliptic curve key generation method is 
presented, and in Section 4 a more detailed comparison with shared and other non- 
shared systems is provided. 



2 Background 

The theoretical background on elliptic curves reviewed in this section can be verified 
by anyone with adequate background in elliptic curves (cf. [5]), or using any standard 
textbook, e.g. [6]. 

Table 1 lists eight WeierstraB models H- uX + v for elliptic curves. If p = 3 

mod 4 is a prime that satisfies the conditions in one of the rows of Table 1, then the 
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WeierstraB model + uX + v in that row defines a non-supersingular elliptic 

curve Eu,v = E over Ep. In this paper only prime fields Ep are considered. The 
discriminant A of the endomorphism ring and the cardinality IE(Ep)l of the group of 
points E(Ep) of E over Ep are also listed in Table 1, where j(m,n) = 1 if m is a square 
modulo n and j(m,n) = -1 if m is not a square modulo n. The last column of Table 1 
lists a fixed divisor of IE(Ep)l (i.e., in some cases the group order is not prime). Note 
that the rows for d = 7, 11, 19, 43, 67, and 163 share the same fourth, fifth and sixth 
columns, with exceptions for d = 11 and d = 7 for the fifth and sixth column, 
respectively. 

Eor example, if d = 7 and p is a prime that is 3 mod 4 for which there are 
non-negative integers a, b such that a^ -i- 7b^ = 4p and a 1, then = X^ - 35X - 98 
defines a non-supersingular elliptic curve E 35 gg = E over Ep, and the cardinality of 
the group of points E(Fp) is p-i-l-j(2a,7)a. Furthermore, pH-l-j(2a,7)a is divisible by 8 . 

Table 1. WeierstraB models. 

A = -d, Y^ = X^ H- uX H-v, with conditions on p, d, group fixed 

with d u v and a, b £ Z^o cardinality divisor 



3 


0 


16 


a^+3b^ = 4p, p = 1 mod 3, 
a = 1 mod 3, b = 0 mod 3 


p-i-l+a 


9 


8 


-270 


-1512 


a^+2b^ = p, 

a=l mod 4 if mod 16, 

a=3 mod 4 if p=l 1 mod 16 


p+l-2a 


2 


7 


-35 


-98 


a^+db^ = 4p, a 7^ 1 


d^il: 
p+1— j(2a,d)a, 
d= 11: 

p+l+j(2a,l l)a 


dT^7: 1 
d = 7: 8 


11 


-9504 


-365904 


19 


-608 


5776 


43 


-13760 


621264 


67 


-117920 


15585808 


163 


-34790720 


78984748304 



The same WeierstraB model used over two different finite fields gives rise to two 
different and, from a security point of view, independent groups. With the current 
algorithms, ability to solve discrete logarithms in one of those groups does not make it 
easier to compute discrete logarithms in the other group. 



3 Non-shared Elliptic Curve Key Generation 

Table 1 can be used for elliptic curve key generation in the following manner (for 
d = 3 this is implied by [3: page 158]): generate a random prime p = 3 mod 4 of a 
specified size, try and solve the equation for a, b, d, and p for all d’s in Table 1, if 
successful for some d then check if the group cardinality for the corresponding curve 
satisfies the obvious security requirements, and repeat with another prime p until a 
good curve has been found. This straightforward approach has the advantage that 
primes can be chosen having advantageous computational properties. But since it 
requires a relatively complicated computation (namely the attempt to solve for a given 
p the equation a^-i-tb^= 4p for various t’s) the following even simpler approach is used 
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here: pick a random integer a of appropriate size, and search for a non-negative 
integer h until the conditions in at least one row of Table 1 are satisfied for a prime p 
that is 3 modulo 4, and such that the group cardinality satisfies the security 
requirements. 

The resulting elliptic curve key generation method makes use of the 
following function to check if a candidate a,b pair is satisfactory for a certain d. 

3.1 Check Conditions on d, a, b, and x 

This function not only checks that d, a, and b lead to a ‘good’ curve according to 
Table 1, but also checks that a point of high prime order can easily be computed on 
the curve as a function of the additional input parameter x. Curves that are otherwise 
‘good’ are rejected if the prescribed x does not lead, in some standard way that is 
described below, to a point of high prime order (cf. Remark (3.6)). 

Input: Positive integers d, a, b, x, where d is one of the values in the first 

column of Table 1. 

Output: Either ‘Failure’, or d, p, q, and Q, where p and q are two primes, 

and Q is a point of order q in the group of the curve corresponding to d over Fp (i.e., 
all public key data required, except for the point G). 

1. Check if the conditions in the row referred to by d and the fourth column of 
Table 1 are satisfied for d, a, b, and if the resulting number p is a prime that is 3 
mod 4. If not, then output ‘Failure’ and terminate. 

2. Compute the group cardinality according to the fifth column (and appropriate 
row), and check if it can be written as q*f for a prime q and a positive integer f < 
32 (the fixed divisor from the sixth column will be a factor of f). If not, then 
output ‘Failure’ and terminate. (The bound of 32 on f is arbitrarily chosen and 
may be replaced by any value that is convenient and that still offers acceptable 
security.) 

3. Check that there is no integer m with m(ln(m*ln(p)))^ < 0.02(ln(p))^ for which q 
divides p™-l. If such an integer m exists, then output ‘Failure’ and terminate. 
(Existence of a small m for which q divides p“-l implies that the group of points 
of the corresponding curve over Fp is susceptible to a subexponential-time attack 
based on the Weil or Tate pairing. It is well known that such curves should be 
avoided for cryptographic applications. The bound on m follows trivially from 
the heuristic runtime estimate of the Number Field Sieve based subexponential- 
time discrete logarithm algorithm.) 

4. Compute y = (x^ ux -i- modulo p, with u and v corresponding to d 

according to the second and third columns of Table 1, check if y^ = x^ -t ux -H v 
modulo p (i.e., if the y thus computed is indeed the squareroot modulo p of x^ -i- 
ux -t- v) and if so put P = (x mod p, y). If y^ ^ x^ -i- ux -H v modulo p, i.e., if no 
point with x-coordinate equal to x modulo p is on the curve indicated by d, then 
output ‘Failure’ and terminate. (The condition that p = 3 mod 4 is required for the 
efficient modular squareroot computation in this step.) 

5. Compute Q = f • P in Eu,v(Fp) with u and v as in the previous step, and check that 
Q is not equal to the identity element in Eu v(Fp). If Q is equal to the identity 
element, then output ‘Failure’ and terminate. (Due to the way Q is constructed it 
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has order either 1 or q; a point Q of order 1 is worthless. If d = 3 then f may he 
replaced by f/3 because the order 9 subgroup is not cyclic.) 

6. Check that q • Q is the identity element in E„ v(Fp). If not, then output ‘Failure’ 
and terminate. (This failure indicates an inconsistency, either due to an 
implementation error or, when called from (3.3), to an intentional attempt to 
reconstruct a ‘wrong’ key.) 

7. Output d, p, q, and Q. 

For the key generation it is assumed that each participant to the system has a unique 
ID: a bitstring that uniquely identifies a participant and that is recognized by all other 
participants. Commonly such IDs are exchanged whenever two participants set up a 
communication channel, either as part of the respective certificates or in plain-text. 
Furthermore, it is assumed that all participants to the system share three hash 
functions R[(B,s), R 2 (B,s), R 3 (B,s), each mapping a positive integer B and a bitstring 
s of arbitrary length to a positive integer of B bits. These hash functions do not have 
to satisfy any fancy cryptographic requirements and neither do they have to be 
particularly efficient - anything that is convenient and that takes all bits of s into 
account will do. 

3.2 Non-shared Identity Based Elliptic Curve Key Generation 

Input: The identifying information ID of the participant generating the key 

and a security parameter B £ Z>q. 

Output: A public key (Fp,E,Q,q,GiD) suitable for use in elliptic curve 

cryptosystems, the corresponding private key min, and additional data from which Fp, 
Q, and q can easily be reconstructed given F or d: a bitstring s of length 32 and an 8- 
bit integer b;. 

This protocol should be performed by the party uniquely identified by ID (though 
steps 1 through 5 may in principle be carried out by any party). 

1. Pick a random bitstring s of length 32 and compute a = Ri(B,IDIIs), bo = 
R 2 (B,IDIIs), and x = R3(2*B,IDIIs), where IDIIs denotes the concatenation of ID 
and s. 

2. Fet i = 0. 

3. For the eight different d’s given in Table 1 do the following: 

• Check the conditions on d, a, b = bo-i-i, and x as described in (3.1). If (3.1) 
outputs d, p, q, and Q, then let hi = i and jump ahead to step 6. 

4. Otherwise, if (3.1) outputs Failure for all 8 different d’s, then replace i by i+1 and 
jump back to step 3 if i < 256. 

5. Return to step 1 (because all 8*256 calls to (3.1) resulted in ‘Failure’ a new s is 
needed). 

6. Fet d, p, q, and Q be as output by (3.1) and let F be the curve indicated by d 
according to Table 1. Pick a random positive integer mjD < q and compute Gid = 
mjD* Q in F(Fp). 

7. Output (Fp,F,Q,q,GjD) as public key, mj^ as private key, and the key 
reconstruction data s and hi. 
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Because a and b are B-bit integers the resulting p and q have approximately 2B and at 
least 2B-5 bits, respectively, where the ‘-5’ corresponds to the bound 32 on f in step 
2 of (3.1). Thus, the security of the resulting key is believed to be at least B-2.5 bits. 

An important aspect of (3.2) is that the (Fp,Q,q) part of a party’s public key 
can be reconstructed very easily given the party’s ID, E (or d), and the s and bi 
resulting from the construction of (Fp,E,Q,q). Since E and d can be encoded using 3 
bits, any other party only needs 3 + 32 + 8 bits plus the ID and value for B to 
reconstruct Ep, Q, and q. The details are as follows. 

3.3 Public Key Reconstruction 

Input: Identifying information ID, security parameter B, 32-bit string s, 8- 

bit integer bi, and 3 bits indicating E and d. 

Output: Either ‘Failure’ or (Fp,Q,q). 

1. Compute a = Ri(B,IDIIs), b = R 2 (B,IDIIs) + bi, and x = R3(2*B,IDIIs). 

2. Check conditions on d, a, b, and x as described in (3.1). If (3.1) returns ‘Failure’, 
then output ‘Failure’ and terminate. 

3. Otherwise, output (Fp,Q,q) with p, q, and Q as output by (3.1). 

3.4 Cheap Public Key Reconstruction 

If the public key reconstruction (3.3) is performed on data retrieved from a certificate, 
then the check of the conditions on d, a, b, and x in step 2 of (3.3) can be sped-up 
considerably, under the assumption that the certification authority performed the full 
check as described in (3.1). For instance, the two primality checks on p and q can be 
omitted (where q can be found after trial division up to at most 32), and also the check 
that Q has indeed order q can be omitted. This implies that reconstruction of the 
(Fp,Q,q)-part of a public key from certified data can be performed at the cost of 
essentially a single (p+l)/4-th powering inFp. The time required for this 
exponentiation is very small compared to the time required for the ‘standard’ 
operation in elliptic curve cryptosystems, namely full scalar multiplication in the 
group of the elliptic curve. 

Lengths of s and bi. The lengths of s and bi should in principle depend on B. In (3.2) 
the lengths are arbitrarily chosen in such a way that the choices work satisfactorily for 
any reasonable value of B. Smaller s and bi imply that fewer bits have to be 
exchanged and/or certified for public key exchange. Larger s and bi mean that for a 
given ID and B more different curves may be selected. The values 32 and 8 lead to 
more different curves than any particular ID will ever want to generate for any 
reasonable fixed value of B and do not cause noticeable communication overhead. 

3.5 Performance 

If for an integer d as in Table 1 and a randomly picked pair a, b the conditions on a 
are satisfied, then the probability that a, b, and d lead to a prime p as specified in the 
fourth column of Table 1 is approximately the same that a randomly picked number 
of the same size as p is prime. Thus, it may be expected that step 1 of (3.1) (as called 
by step 3 of (3.2)) is successful for some d after 0(B) attempts. The probability of 
success of step 2 of (3.1) is of the same order of magnitude, but with a much better 
constant because cofactors up to 32 are allowed. So, O(B^) attempts may be expected 




300 A.K. Lenstra 



before step 2 of (3.1) is successful. Steps 3, 5, and 6 of (3.1) have a negligible 
probability of failure, and Step 4 of (3.1) fails with probability approximately 0.5. It 
follows that the runtime of (3.2) is dominated by the O(B^) prohabilistic 
compositeness tests on approximately 2B-bit numbers, in steps 1 and 2 of (3.1). In 
practice (3.2) runs quite fast. For instance, for B = 90 public keys are on average 
produced in less than ten seconds on a 133MHz Pentium. 

Key reconstruction (3.3) is dominated by the two prohabilistic 
compositeness tests on approximately 2B-bit numbers in steps 1 and 2 of (3.1), the 
(p+l)/4-th powering in step 4 of (3.1), and the check that q • Q is the identity element 
in step 6 of (3.1). In practice it takes a fraction of a second. The runtime required by 
the ‘cheap’ key reconstruction (3.4) is dominated the (p+l)/4-th powering in step 4 of 
(3.1), and thus almost negligible in practice. 

3.6 Remark 

In (3.1) a curve that would otherwise he good (i.e., a curve for which step 4 of (3.1) is 
reached) is rejected if a point with x-coordinate equal to x mod p is not on the curve 
(step 4 of (3.1)), or if such a point is on the curve but does not lead to a point of order 
q (as in step 5 of (3.1)). Here x is chosen in (3.2) as R3(2*B,IDIIs) so it can easily be 
reconstructed. If speed of the public key generation process is important, then (3.1) 
can trivially be modified so that it looks for the smallest non-negative j such that (xH-j) 
mod p instead of x mod p satisfies the requirements in steps 4 and 5 of (3.1). 
Obviously, the resulting j would have to be included in the key reconstruction data s 
and hi, thereby increasing the number of bits required for key reconstruction. A two 
or three bit j may speed up the key generation process by a factor two (cf. (3.5)), 
without affecting the length of the key reconstruction data in a substantial way. 

Implementation. Elliptic curve arithmetic can he implemented in many different 
ways (cf. [1, 4]). The most efficient choice depends on hardware characteristics of the 
device to be used and is outside the scope of this paper. Assuming that elliptic curve 
arithmetic is available, implementation of the key generation and reconstruction 
method proposed in this paper is entirely straightforward based on the descriptions in 
(3.1), (3.2), (3.3), and (3.4). 



4 Comparison 

As explained in Section 1, in a shared elliptic curve cryptosystem the part of A’s 
public key data that is unique to A consists of a single point Ga on the curve. If an L- 
bit finite field is used, then Ga can trivially be encoded in 2L bits: L bits for the x- 
coordinate and L bits for the y-coordinate. It is common practice, however, not to 
encode the full y-coordinate, but to let the recipient of the public key perform a 
modular squareroot computation to derive the y-coordinate from the x-coordinate. As 
argued above this squareroot computation is negligible compared to the ensuing 
cryptographic operations (in particular if p = 3 mod 4). Since one additional bit is 
needed to indicate which of the two squareroots should be used, Ga can be encoded in 
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L + 1 bits. It follows that the amount of data to be exchanged or certified is L + 1 + 
IIDI bits, where IIDI denotes the length of the identifying information ID. 

In a non-shared elliptic curve cryptosystem party A’s public key data 
consists of the five-tuple (Fp(A),EA,QA,qA,GA). Encoding of these data requires L bits 
for p(A), in general 2L bits for a randomly selected WeierstraB model to specify Ea, L 
+ 1 bits each for Qa and Ga (at the cost of two modular squareroot computations), and 
approximately L/2 hits to encode the difference between p(A) and the group order, 
plus the cofactor of qA in the group order. The total number of bits to encode 
(Fp(A),E a^Qa^^a^Ga) is equal to 5.5LH-2. The amount of data to be exchanged or 
certified is 5.5L + 2 + IIDI bits. 

In the non-shared system from Section 3 the (Fp,Q,q)-part of the public key 
data can be reconstructed, at the cost of one modular squareroot, from ID, B, and an 
additional 3 -i- 32 H- 8 = 43 bits, as shown in Section 3. Since B may be assumed to be 
a system wide parameter (of value approximately equal to L/2), the total amount of 
data to he exchanged or certified is L H- 44 H- IIDI bits. Compared to the shared system, 
43 more bits have to be carried along, and one additional modular squareroot has to 
he performed during key reconstruction. An additional 43 bits and single modular 
squareroot are a small price to pay for the additional security obtained. 

Compared to the traditional non-shared system, during key exchange or 
certification 4.5L - 42 bits are saved by the method from Section 3, and the same 
number of modular squareroots is required. Furthermore, public key generation 
according to the new method is straightforward, whereas traditional non-shared 
systems require curve point counting software. The latter can be done using either 
complex multiplication (CM) techniques (thereby restricting the range of curves that 
can he used) or using the Schoof-Elkies-Atkin (SEA) algorithm (for truly random 
curves). Both the CM-based and the SEA-based methods are considerably more 
complicated than the approach from Section 3. Intuitively, the security of the SEA 
approach ranks highest, followed by CM, followed by the new method (cf. [2]), hut as 
explicitly stated by the same authoritative source, there is no evidence whatsoever that 
this intuition is correct. Thus, given the current state of the art, the security offered by 
the newly proposed non-shared system and either type of traditional non-shared 
system (CM or SEA) seems to be the same. 
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Abstract. In this paper we study authentication codes with arbitra- 
tion (A^-codes). An A^-code is called optimal if its cheating probabili- 
ties achieve their information-theoretic lower bounds, and has minimum 
number of keys. We give characterization of optimal A? -codes in terms 
of combinatorial designs. This means that construction of optimal Ar- 
cades is reduced to the construction of the corresponding combinatorial 
structures. 



1 Introduction 

In a traditional authentication code (A-code) there are three participants: a 
transmitter, a receiver and an opponent. Transmitter and receiver trust each 
other. The opponent attempts to impersonate transmitter or substitute a mes- 
sage sent to the receiver. Simmons [7] extended this model by considering pos- 
sible attacks from transmitter and receiver. He introduced a fourth participant, 
called arbiter, who is trusted and arbitrates if transmitter or receiver cheats. 
This is called authentication code with arbiter or -code. The model and con- 
structions of A^-code was further studied by Johansson [3], Desmedt at al [1] 
and Obana et al [5] . 

The following three types of spoofing attacks are considered. 

Attack Or by the opponent: after observing a sequence of r distinct messages 
mi, m 2 , ■ ■ ■ , mr, the opponent sends a message m, m ^ mi, 1 < i < r to the recei- 
ver and succeeds if the receiver accepts the message as authentic and the message 
represents a distinct source state from those represented by mi, 1 < f < r. 

Attack Rr by the receiver, after receiving a sequence of r distinct messages 
mi, 'm 2 . ■ ■ ■ , iTir, the receiver claims to have received a message m and succeeds 
if the message m could have been generated by the transmitter and represents 
a distinct source state from those represented by mi, 1 < i < r. 

Attack T by the transmitter: the transmitter sends a message to the recei- 
ver and then denies having sent it. The transmitter succeeds if this message is 
accepted by the receiver as authentic and if it is not of the messages that the 
transmitter could have generated using his encoding rule. 

* Authors 1, 2 are supported by the Grant No. 19531020 of NNSF of China and the 
grant E47 of NSF of Guangdong. Authors 3,4 are partially supported by Australian 
Research Council Grant Number A49703076. 
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Let S denote the set of all source states and M denote the set of all possible 
messages. An encoding rule of the transmitter is an one-to-one mapping from S 
to Ai. Let Sj- denote the set of all encoding rules of the transmitter. A decoding 
rule / of the receiver is a mapping form Ai onto 5U{reject}. For each source state 
s £ S, the subset Ai{f, s) C Ai denotes the set of messages that corresponds to 
s under the mapping /. The sets Ai{f,s), s € S, are disjoint for different source 
states. Let £n denote the set of all decoding rules of the receiver. 

Before transmission, the receiver selects a decoding rule / G E-jz and secretly 
gives it to the arbiter. The arbiter selects one message from Ai{ f,s) for each 
source state s £ S forming an encoding rule e and secretly gives it to the trans- 
mitter. In this case we say that the encoding rule e is valid under the decoding 
rule /. The source state s which the transmitter wants to send is encoded by the 
message m = e(s), then it is transmitted over the channel. The receiver checks 
whether a received message is valid (i.e. it is in some set Ai{f, s)) and recovers 
the source state. When disputes between the transmitter and the receiver occur, 
the arbiter checks whether the message under dispute is valid for the encoding 
rule used by the transmitter. If and only if it is valid, the arbiter accepts that it 
is sent by the transmitter. 

Let Por denote the probability of success for the attack Or,PR^ denote the 
probability of success of the attack Rr and Pt denote the probability of success 
of the attack T. It was proved ([3] and [9]) that 





( 1 ) 




( 2 ) 




( 3 ) 



Here M’’ is the random variable for the first r messages sent by the trans- 
mitter, Et the random variable for the encoding rules of the transmitter, Er 
the random variable for the decoding rules of the receiver, and M' the random 
variable for messages that are not valid under the given encoding rules. We use 
p[{Z\Y) to denote the conditional entropy. 

It is easy to deduce from the above three inequalities that 



\£r\>{Poo---Po,-.Pt)-\ 


( 4 ) 


\£t\ > {Pro ■ ■ ■ PRt-iPOo ■ ■ ■ POt-i)~^ j 


( 5 ) 



for any positive integer t, < |5|. 

An A^-code is called optimal of order t if (1) and (2) hold for r, 0 < r < t — 1, 
and (3), (4) and (5) also hold with equality. 

The main aim of this paper is to find the necessary and sufficient conditions 
for optimal A^-codes (see §2) . In other words, we will give a characterization of 
optimal A^-codes in terms of combinatorial designs (SPB t-designs and RSPB 
t-designs, see Definition 2 and 3) . A similar problem is considered in and . 
We follow a similar approach for A^-codes in this paper. 
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Obana and Kurosawa^^l considered optimal Cartesian A^-codes with t=2. 
They proved that the optimum A^-code is equivalent to an affine resolvable + 
BIBD design. The result of this paper holds for general optimal A^-codes. The 
combinatorial characterization of optimal Cartesian A^-codes for any t in terms 
of resolvable block designs with some additional properties can be also deduced 
from this general result (see §5). 

2 Main Result 

Definition 1 Let v,b,k,X,t be positive integers. A t-(v,b,k; X,0) design is a 
pair (A4,S) where A4 is a set of v points and £ is a set of b k— subsets, called 
blocks, of A4 such that any t-subset of A4 either occurs in exactly X blocks or 
does not occur in any block. 

We call a, t — {v, b, k; A, 0) design a partially balanced t-design (PB t-design). 
Definition 2 A PB t— design t — (v, b, k; X, 0) is called strong, SPB t-design, 
if for any r, 1 < r < t, it is also a r — {v,b,k; Xr,0) design . We denote it by 
t- (v,b, k;Xi, - ■ ■ ,Xt,0). 

Definition 3 Let v,b,k,c, X,t be positive integers. A PB t-design (M,£) 
is called restricted (RPB t-design) if \A4\=v,£ = {£i, - ■ ■ ,£t}, each block £i is 
divided into k parts, each part has c points of AA. Any t-subset of AA either 
occurs in exactly X blocks in such a way that each point of the t-subset occurs in 
one part, or does not exist such blocks at all. 

We denote a RPB t-design by t — (w, 5, fc, c; A, 0). Similarly we can define 
RSPB t-design t — (v, 6, fc, c; Ai , • • • , At , 0) . 

Let denote the random variable associated with the first r source states 
adopted by the transmitter. Let 

p(5'' = ,Sr)) > 0 (6) 

iS Si ^ Sj, 1 < i < j < r. 

For a given decoding rule / € the set 

M(/)= \jM{f,s) 
s£S 

is the set of all valid messages for /. For a given m’’ = {nii, - ■ ■ ,nir) £ A4’’, 
define the set 

£R{m^) = {/ G £R\rrii G AA{f),f{mi) yf f{mj), I <i < j < r}. 



Let 



AA)i = {nf G AA-^\£R{vf) ^ 0}. 
For a given encoding rule e £ £t, let 



AA{e) = {e(s)|s G S'} 
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be the set of all valid messages for e. An encoding rule e is valid under a decoding 
rule / iff e(s) G M{f, s) for any s £ S. 

Suppose the encoding rule e is valid under the decoding rule /, define 

M'(e) = M\M(e), 



M'j(e) = M(f)\M(e). 



For a given f £ Sr, let 

^T{f) = {e £ St\g is valid under /} 

For a given e £ St, let 

= {f £ Sr\6 is valid under /} 

We assume that p{Er = /) > 0 for any f £ Sr and p{Et = €\Er = /) > 0 
for any e £ ST{f)- In the following, for simplicity, we write p{f) instead of 
p{Er = /), p{e\f) instead of p{Ex = b\Er = /) and so on in the following. It 
follows that p{e) > 0 for any e £ St and p{f\e) > 0 for any / £ SR(e). 

For any message m £ A4 we assume that there exists at least one decoding 
rule / such that m £ M{f), otherwise the message m can be deleted from M. 
Given a decoding rule /, for any message m G Ai{f), we assume that there 
exists at least one encoding rule e G ST{f) such that m G M(e), otherwise the 
message m can be deleted from M(f). 

Our main result is the following theorem. 

Theorem 1 The necessary and sufficient condition for an A? -code {S,M,St,Sr) 
being optimal is as follows. 

(i) The encoding rules in St are equally probable and the decoding rules in 
Sr are also equally probable. It can be deduced that ST^f) and Sr{c) also have 
uniform probability distribution. 

(ii) For any given to’’ G ATr, the probability p{S'^ = is constant for 

all f £ SR{m^). 

(Hi) For any given e £ St the pair 

{M'{e),{M'f{e)\f£SR{e)}) 

is a l-(v — k, ,k{c — 1); 1, 0) design where v = \M\, k = \S\, c is a positive 
integer. In fact, c = s)| for all f £ Sr, s £ S. 

(iv) For any given f £ Sr, the pair 

{M{f),{M{e)\e£ST{f)}) 

is a SPB t-(kc, {Pr^^Pr^ ■ ■ ■ PRt_f)~^, k; Ai, • • • , A*, 0) design where A* = 1, A^ = 
{PRr---PR,.,r\l<r<t-l. 

(v) The pair 
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{M,{M{f)\feSR}) 

is a RSPB t-(v, {Pqo ■ ■ ■ k,c] /ti, • • • , /tt, 0) design where 

g,t = PT^,i^r = {Por ■ ■ • POt-iPT)~^ , 1 < r < i - 1. 

3 Lower Bounds 

Assume that one decoding rule and one valid encoding rule are chosen. 

Let P(to|to’’) denote the probability of the event that the message m is 
accepted by the receiver given that the first r messages irp = {mi, m2, ■ ■ ■ , mr) 
have been accepted, where • • • ,mrm represent different source states. We 
have 

P(m|m’’) = ^ p{f\m^). 

Let P{m\f, m’’) denote the probability of the event that the message m could 
have been generated by the transmitter given the decoding rule / and the first 
r messages m’’ = (mi, • • • , mr) where mi, • • • , m^, m represent different source 
states. We have 

P(m|/,m’')= P(e|/)- 

where 

Srif, m’') = {e|e G £T{f),mi € M{e),l < i < r}. 

Let P(m'|e) denote the probability of the event that the message m' ^ M{e) 
is accepted by the receiver given the encoding rule e. We have 

P(m'|e) = P(/|e)- 

feSR(e,m') 

where 

£R{e,m') = {/I/ G SR{e),m' G Mf{e)}. 

Now we give the definitions for Po,.,PR,,and Pt as follows. 

POr = / p{m'^) max P(m|m’'), 

Pr^ = max p{m^\f) max P(m|/, m’’)), 

fe£n meM 
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Pt = max max P(m'\e), 

The following three propositions on the information-theoretic lower bounds of 
POr jPRr Pt respectively can be proved in a way similar to that of Theorem 

1 in [5]. 

Proposition 1 The inequality 

Po > (7) 

holds for any integer r > 0. The equality holds iff for any nP € AT', and m € A4 
with £r{ttP * m) yf 0 the ratio 



p{f\rrP) 

p{f\nP * m) 

is independent of rrP,m and f € £R{rrP * m). When this equality holds, the 
probability Pq,. equals to P(m|m’') and also to the above ratio. 

Proposition 2 The inequality 

Pr > 

holds for any integer r > 0. The equality holds iff for any rrP € AT', m G At 
and f G £R{rrP * m) with Srif, Rp * m) $ the ratio 

p{e\f, mP) 
p{e\f, rrp * m) 

is independent of mP ,m, f G £R{nP * m) and e G £T{f,rrP * m). When this 
equality holds, the probability Pr^ equals to P{m\f ,mP) and also to the above 
ratio. 

Proposition 3 The inequality 

> ‘2H{Er\Et,M') — H(Er\Et) 

holds. The equality in it holds iff for any e G £T,rn' G At'(e) with £R{e,m') yf 0 
the ratio 

P(/|e) 

p(/|e,m') 

is independent of e,m' and f G T/j(e,m'). When this equality holds, the proba- 
bility Pt equals P{m'\e) and also the above ratio. 

The following two propositions give the lower bounds on \£r\ and \£t\ res- 
pectively. 

Proposition 4 The number of decoding rules of the receiver is lower bounded 

by, 

\£r\>{PooPo^---Po,.^Pt)-^ (10) 
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Suppose that Pt and Por> 0< r < t — 1 achieve their lower hounds in (7) and 
(9). Then the equality in (10) holds iff 

H{Er\Et, M') = 0, H{Er\M^) = H{Er\Et) 

and Efi has a uniform probability distribution. 

Proposition 5 The number of encoding rules of the transmitter has the 
lower hound 

\St\ > {PooPo, • • • Po,^,Pro • • • ( 11 ) 

Suppose Pq^,Pr^, 0 < t < t — 1 achieve their lower hounds in (7) and (8). 
Then \£t\ achieves its lower hound in (11) iff 

H{Et\Er, M‘) = 0, H{Er\M*) = H{Er\Et) 

and Et has a uniform distribution. 

Remark Since 

H{Et\Er,M*) = H{Er,Et\M*) - H{Er\M*) 

= H{Et\M'^) + H{Er\Et) - H{Er\M*) 

The condition that H{Et\Er, M*)=0 and H{Er\M*) = E[{Er\Et) is equi- 
valent to that of H{Et\M*)=0. 

4 Combinatorial Structure of Optimal A^-codes 

The following corollaries will provide a bridge between the information- 
theoretic lower bounds of Pq^ , Pr^ and Pt and the combinatorial structure of 
optimal A^-codes. 

Corollary 1 Suppose that Er has a uniform probability distribution and 
Po^ = < r < t - 1 (12) 

Then for any G AC, m G At with SR{m^ *m) ^ we have 
POr = \^R{TrP * m)\/\£R{m")\. 



Corollary 2 Suppose that Erif) has a uniform probability distribution and 



<r <t-l 



(13) 



Then for any m’’ G AC, m G M, / G £R{m'' * m) with Srif, * m) ^ 0, 



Pr^ = \£T{f,nf *m)\/\£TU,m'")\. 



Corollary 3 Suppose that Er{c) has a uniform probability distribution and 
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Pj, = 2 ^(^r\^t,m')-h{Er\Et) ^ 

Then for any e € £t, rn' G Ai'{e) with £r{€, m') 0 , 

Pt = \£R{e,m')\/\£R{e)\. 

The optimal A^-codes have a requirement for the probability distributions of 
S\ 

Corollary 4 Suppose (12) and (13) hold. Then for any m'~ £ 1^r> the 
probability piffnT)) does not depend on f £ £R{rrf) (0<r<t—l). 

Corollary 5 If Pr^ = then \M{f, s)\ = c is a con- 

stant for any f £ £r and s £ S. Furthermore c = Pr^ ■ 

Now based on the above discussion it is not difficult to prove Theorem 1. 
The proof will be given in the final version of this paper. 



5 Optimal Cartesian A^-Codes 

An A^-code is Cartesian (without secrecy) if one can always know the source 
state from the message sent by the transmitter. In a Cartesian A^-code for any 
m £ M there is a unique s £ S such that m £ M{f, s) for all / G £R(m). Let 

M{s) = {m £ M\m £ M{f, s) for f £ Tr^tti)} 

It is clear that 



M=\J M{s). 

sG5 

Lemma 1. For an optimal Cartesian A^-code, the value |AI(s)| is a constant 
for any s £ S. 

Lemma 2. Let S,Ai , £r , £t be an optimal Cartesian A^-code of order t. 
For any e £ £t and m* = {mi, m 2 , ■ ■ ■ , mt) £ A4(e)*, we have 

£ji(e) = 

Let (V, B) be a block design where C is a set of n points and S is a family 
of blocks. Each block contains the same number of points of V. 

Definition 41^1 A block design {V, B) is called a-resolvable if the block set 
B can be partitioned into classes C\,C 2 , - ■ ■ ,Ck with the property that in each 
class every point of V occurs in exactly a blocks. 

We are interested in a-resolvable design with the following properties: 

There exists a positive integer t < k such that 

PI A collection of i, 1 ^ ^ ^ blocks from different classes either intersect 

in Ui points or does not intersect at all. 
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P2 Denoted by T the set of all f-tuples {Bi-^ , • • • , Bi, ) where blocks , • • • , 
are from different classes Ci^ ,■ ■■ ,Ci^ with fl ’ ’ ’ fl ^ for any u, u < 

k,u yf ii, - ■ ■ ,it there exists a unique B„ G C„ such that Cl • • • Cl Bi^ C B„. 



Furthermore for any j{l < j < t) blocks Bi^, - ■ ■ ,Bi. from different classes 
C,i , • • • , C^. with / G rir=i^b > 

) ■ ■ ■ ) Bi. ) = 5 • ■ ■ ) ; ■ ■ ■ ) -Bit) ^ ^ 0 



The value |T/(Bij, • • • , Bi.)\ is either Aj or zero, where Xj is a constant. Let 



T(/) = {(Btt,---,BijGT|/Gf|‘ BtJ. 

I ir=l 



Then g = |T(/)| is also a constant. 

P3. Let {Bi^, - ■ ■ , Bi^) G T. For any block B^ G B, if B^ yf Bi.,1 < j < 
e, and B^ yf B„, u ^ ii, ■ ■ ■ ,it (where B„ is defined in P2), then \Bj. Cl Bj^ Cl 
• • • n Bij I = 0 or 1. 

A combinatorial characterization of Cartesian optimal A^-codes in terms 
of Qf-resolvable block design with properties PI, P2 and P3 can be deduced 
from Theorem 1. Let (5, Ad, fr) be an optimal Cartesian A^-code. Let B = 
{Sn{m)\m G Ad}. It can be shown by Theorem 1 that {Sr,B) is a c-resolvable 
block design with properties P1,P2 and P3 where c = |Ad(/, s)|. The block set B 
is partitioned into classes Ci,C 2 ,- ■ ■ ,Ck where Ci = {£R{m)\m G Ad(si), s G 5}. 
The properties PI, P2 and P3 correspond to the items (v), (iv) and (iii) of Theo- 
rem 1 respectively. We have the following theorem. 

Theorem 2 Suppose there exists a c-resolvable design (V, B) in which B 
is partitioned into classes Ci, - ■ ■ ,Ck with properties PI, P2 and P3 and such 
that all classes have the same number of blocks. Then there exist an optimal 
Cartesian A^-code with uniform probability distribution on £t and £r. The code 
has the following parameters: 

1. The number of source states is k. 

2. The number of messages is \B\. 

3. \£r\ = \V\, \£t\ = g/tJ-t, \£r o £t\ = \V\g 

4- POr = Tr+l/gr,PR,. = Xr+l/Xr, Pt = 1/Mt.O < ?’ < ^ “ 1 • 

Conversely, if there exists a Cartesian optimal A^-code then there exists a 
c-resolvable block design with properties PI, P2 and P3. 



6 Conclusion 

Optimal A^-codes which have the minimum cheating probabilities and the 
minimum size for the key spaces, are the most interesting class of A^-codes. 
In this paper we have given a characterization of these codes in terms of the 
combinatorial designs. Thus construction of optimal A^-codes is reduced to the 
construction of the combinatorial designs with the properties given in Theorem 
1. All the known optimal A^-codes are Cartesian ([8], [2], [9], [4]). Construction of 
non-Cartesian optimal A^ -codes is an open problem. 
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Appendix: Example 

Now we look at the combinatorial structure of the Cartesian optimal A^-code 
with order t = 2 constructed by T. Johansson 1^1. We check that it satisfies the 
conditions given in Theorem 1. 

Let Fq be the finite field with q elements. Fix a line Lq in the projective 
space PG{3, Fq) of dimension 3. The points on Lq are regarded as source states. 
The receiver’s decoding rule / is a point not on Lq. The transmitter’s encoding 
rule is a line e not intersecting Lq. An encoding rule e is valid under a decoding 
rule / iff the point / is on the line e. A source state s is encoded by an encoding 
e into the message e(s) = (e, s) which is the unique plane passing through e 
and s. The receiver accepts a message iff the decoding rule / is contained in the 
received plane. 

Now consider the combinatorial structure of this A^-code. There are q + 1 
points on Lq, thus |5| = g J- 1. The messages are all planes intersecting the line 
Lq in one point. This is the same as all planes not containing the fixed line Lq. 
The total number of planes is q^ + q^ + q+l and the number of planes containing 
the line Lq is q+1. Thus \J^\=q^ + q^ . The receiver's decoding rules are all points 
not on Lq. The total number of points is q^ + q^ + q + 1, thus =q^ + q^ . 
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For a given decoding rule /, the encoding rules which are valid under / are all 
lines passing through the point / but not intersecting Lq. The total number of 
lines passing through f is + q+1, among them q+1 lines intersect Lq. Thus 
I'^t(/) The decoding rules under which a given encoding rules e is valid are 
all points on the line e , thus \Sft.{e)\=q + 1. 

Given a decoding rule / and a source state s, there are q planes passing 
through / and s but not containing Lq. Thus c = \M{f,s)\ = q and \M{f)\ = 
q{q+ 1 ). 

Consider an encoding rule e € £t- Any message m G Ai'{e) is a plane 
intersecting e at a unique point / . It means that m is contained in a unique 
M'f{e). Thus (M'(e),{M'f(e)\f G Snie)}) is a l-( q^ + q'^-q-l,q+l,q'^-l; 1) 
design. 

Consider a decoding rule / G £r. Any message m G Ad(/) is a plane contai- 
ning / and intersecting Lq at a unique point. There are q lines passing through 
/ but not intersecting Lq in the plane. This means that there are q encoding 
rules e G Srif) such that m G M{e). Any two messages nii G M{f,si) and 
1712 G AI(/, S2) with Si ^ S2 are two planes passing through / and intersecting 
Lq at different points si and S 2 respectively. These two planes have a unique 
common line passing through / and not intersecting Lq. Thus mi and m 2 are 
contained in a unique AI(e), e G Srif)- Two messages mi, m2 G M.{f, s) are two 
planes passing through / and s. The common line of them is the line connecting 
/ and s. Hence mi and m 2 could not be contained in one Af(e)(e G Srif))- 
Thus {M{f),{M{e)\e G Srif)}) is a SPB 2-( q{q + 1), q'^,q + 1; q, 1, 0) design. 

Any message m is a plane containing q^+q points not on Lq. Hence m G M.{f) 
for q^ + q decoding rules /. Any two messages mi and m 2 , if they are two 
planes intersecting Lq at two different points si and S 2 , then there are q + i 
decoding rules / such that mi G and m 2 G A^(/, S 2 ); if they are two 

planes intersecting Lq at the same point, then there are no decoding rules / 
such that mi G Ai{f,si) and m 2 G Ad(/, S 2 ) with different si and S 2 . Thus 
{M,{M{f)\f G ffi}) is aRSPB 2-{q^ + q'^,q^ + q'^,q'^ + l;q'^ + q,q+l,0) design. 

The conditions (iii), (iv) and (v) of Theorem 1 are satisfied by this -code. 
If conditions (i) and (ii) are also satisfied, then this A^-code is optimal. Using 



Theorem 1 we can find that 

Poo = ^3^ = = \,Pro = = \^PRi = \^Pt 

\£r\ =q^ + q^ = {PooPo^Pt)-\ \£r\ = q^ = {POoPo^ProPr,)-\ 



1 

9+1’ 



as shown in [3]. 
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Abstract. The main purpose of this paper is to examine applications 
of group theoretical concepts to cryptography. We construct a backward 
deterministic system employing the action of the modular group on the 
upper half plane and the amalgamated free product structure of the 
group. We invent a geometrical algorithm that finds the normal form of 
an element of the modular group effectively. This algorithm makes our 
backward deterministic system tractable. Using the backward determini- 
stic system, we invent a public-key cryptosystem in terms of a functional 
cryptosystem. 

Keywords: public-key cryptosystem, functional cryptosystem, back- 
ward deterministic system, modular group, amalgamated free product 



1 Introduction 

Many public-key cryptosystems rely on the difficulty of solving a few specific 
problems such as finding the prime factorization of a composite number and 
the discrete logarithm problem. While the existing systems depending on the 
hardness of these problems are considered secure, there is still deep concern 
about the security of these systems. We must not deny the possibility that a 
genius eventually discovers a fast algorithm to solve those problems in the near 
future. In fact Shor IBl invented a fast algorithm for prime factorization and 
the discrete logarithm problem based on quantum computing although practical 
realization of such a computational device has many difficulties at the present 
moment. We also note that Adleman |P reported that a DNA computer solves 
a 7 vertex and 14 edge instance of the Hamiltonian path problem. Therefore we 
should avoid the situation that all the cryptosystems in hand depend on a few 
principles. Our intention is to provide backup cryptosystems for the currently 
working cryptosystems depending on difficulties of solving a few specific pro- 
blems. We propose a public-key cryptosystem as a first step toward inventing 
a scheme of cryptography using new technologies from mathematics other than 
number theory. We employ the modular group and import several ideas from 
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combinatorial group theory. The encryption and decryption of our cryptosystem 
are based on the uniqueness of a certain expression of an element of the modular 
group and its action on the upper half plane. 

First, we briefly review a functional cryptosystem which is the basic scheme 
of ours. We give the definitions of a backward deterministic system and a mor- 
phism between two backward deterministic systems. Then we demonstrate how 
to construct a backward deterministic system using a group action on a certain 
space. 

Secondly, we recall basic results on combinatorial group theory. An amalga- 
mated free product of groups is introduced and explained. We also recall several 
fundamental results on the modular group. The modular group is the group of 
2x2 matrices over rational integers with determinant one. It is known that the 
modular group is an amalgamated free product of finite cyclic groups. We give 
a geometrical algorithm that finds the normal form of a matrix in the modu- 
lar group using the action of the modular group on the upper half plane. The 
algorithm is very efficient because of its geometrical nature. 

Thirdly, we provide a public-key cryptosystem in terms of a backward deter- 
ministic systems using the action of the modular group on the upper half plane. 
A similar cryptosystem using the modular group was introduced in m- Our 
approach is different from them in that ours is based on a functional cryptosy- 
stem and also our decryption algorithm is faster. We explain the public key, the 
private key, the encryption and decryption methods. We discuss issues on the 
proposed system. 

2 Functional Cryptosystems 

The concept of a functional cryptosystem was introduced to build a public-key 
cryptosystem using grammar theoretical concepts (see i), 0, 0, P] and m- 
In this section we review several concepts and terminologies. Let X he a, set and 
fi a function of X into X for each i £ J where I is a finite set. We suppose that 
there is an element x € X such that if we have 

/ii o /u o ■ • ■ o /a ( 2 ;) = fh fjmix) 

where * 1 , 12 , • ■ • ji, J 2 , ■ • ■ , jm G I, then n = m and ik = jk for every k = 
l,2,...,n. The triple {{fi (i £ /)}, x, X) is called a backward deterministic 
system. Now let {{fi {i £ /)}, x, X) and {{gi {i £ /)}, y, y) be backward 
deterministic systems. The morphism 4> of {{fi {i £ /)}, x, X) to {{gi {i £ 
/)}, y, y) is a mapping (j) : X ^ y satisfying (j){x) = y and also 4> o fi = gi o (j) 
for each i € I. Assume that P = /q o o . . . o fi^{x). Let q = 4>{p). Then we 
have 

q = (j){p) = (/){fi^ o o /i 3 o . . . o f^^{x)) 

= 9ii{4’{fi2 o/u o ■ ■ ■ o/in(2;)) 

= 5ii ° 9i2i4'{h{- ■ ■ fiA^)) ■ ■ ■) 
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= 9^l ° ° 9i„iHx)) 

= 5*1 °9i2 °---°9in{y)- 

Note that the morphism <j) preserves information on the sequence 
We employ backward deterministic systems to construct a public-key crypto- 
system. The most significant point in making up a public-key cryptosystem is 
to supply a trapdoor. In the case of a functional cryptosystem, the idea is to 
find two backward deterministic systems with distinct complexities and an effec- 
tively computable morphism between them. We require that one of the backward 
deterministic systems {{fi {i € /)}, x, X) is harder than the other in the fol- 
lowing sense: Let p = fi^ o fi^ o . . . o fi^{x). If we are given the point p on X, 
we have no efficient way to find how we apply /^’s on x to get the point p. 
We remark that there is a unique way to obtain p by applying /^’s on x, since 
{{fi {i £ /)}, X, X) is backward deterministic. On the other hand, the other 
backward deterministic system ({gi (i G /)}, y, is feasible, that is, if we have 
5 = 5*1 ° 5*2 ° ° 9in{y)i there is an efficient algorithm that finds how to apply 

gfs on y to get q, that is, the algorithm that finds the sequence 9 i^,gi^, . . . ,gi^. 
A morphism f of {{fi {i £ /)}, x, X) into {{gi {i £ /)}, y, y) is a part of the 
trapdoor of the cryptosystem. We publicize the backward deterministic system 
({/* (* G ^)}> 2 :, X) and keep {{gi {i G /)}, y, 3^) and <j) secret. A message sen- 
der encrypts a message iii 2 . . • where ii, 12 , . . . , G I into the composition 
/*! o /*2 o ■ • ■ o fi„ of the mappings, computes the point p = fi^o f^^o . . .0 fi^{x) on 
X and then sends p to a legal receiver. The legal receiver operates the trapdoor (f> 
to the encrypted text p and get q = (p{p) . Since 4>is a, morphism of the backward 
deterministic systems, we have q = gi^ o gi 2 ° ° 9i„{y)- Then the legal receiver 

can obtain the sequence of the mappings 5q o ° ° 5*„ using the efficient 

algorithm for {{gi {i £ /)}, y, y). Hence, the original message iii 2 • . •*„ can be 
obtained by the legal receiver. On the other hand, an eavesdropper may be able 
to get a message p and {{fi {i £ /)}, x, X) is public information. However, the 
eavesdropper cannot obtain the sequence of mappings fi^ofi^o...o fi^ from 
the information p and the backward deterministic system {{fi {i £ /)}, x, X), 
since the system {{fi {i G /)}, x, X) is intractable. Therefore, the cryptosystem 
is secure in principle. If we can find a pair of backward deterministic systems 
and a morphism satisfying the computational complexity requirements, we can 
employ them to build a public-key cryptosystem. This type of a cryptosystem is 
called a functional cryptosystem. 

We now propose a functional cryptosystem using a group action on a certain 
object in mathematics. Let G be a group, X a non-empty set (or some other 
mathematical object). We say that G acts on X if there is a mapping p of G x T 
into X (we usually denote the image p{g, x) of (y, x) under p by gx) satisfying 
the followings: 

(i) For a,b £ G and x £ X, we have {ab)x = a{bx). 

(ii) For x £ X, we have lx = x where 1 is the identity element of G. 

Suppose that a group G acts on a set X. Then each element y of G can be 
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regarded as a one-to-one function of X onto X under the rule x ^ gx for x £ X . 
Now we consider a homomorphism of a group G acting on a set X to a, group 
H acting on a set y. Assume that a mapping f ot X into y satisfies 

f{gx) = 4>{g)f{x) 

for each g £ G and x £ X . Let gi £ G for each i £ I where / is a finite set. 
Let X £ X. Suppose that {{4>{gi) (* £ -?^)}, f{x), 3^) is a backward deterministic 
system. Then clearly {{g^ (i £ /)}, x, X) is also a backward deterministic 
system. The mapping f is a morphism between two systems. We offer a concrete 
example of such a functional cryptosystem using the modular group in Section 
5. 



3 The Modular Group 



The group of 2 x 2 matrices over rational integers with determinant 1 is called 
the modular group and denoted by SL(2, Z), that is, 

\ a, b, c, d £ Z ad — be = 1 > . 






Let A and B be the matrices in SL(2, Z) given by 



A = 




B = 




It is easy to see that = B'^ = 1 and A^ = B^. Furthermore, it is known that 
A and B generate SL(2, Z). As a matter of fact, SL(2, Z) has the presentation 

Gp{A, B \ A^ = B^ = 1, A^ = B^). 



This simply implies that SL(2, Z) is the free product of the cyclic group < A> 
of order 6 and the cyclic group < B > of order 4 amalgamating the cyclic group 
H = < A^ > = < B^ > = {/,—/} of order 2 (see [3|, |s| and p2j for 

details). Therefore, every element of SL(2, Z) is uniquely written as a normal 
form. We choose {/, A, A^} as the set of coset representatives of Lf in < A >. 
We choose {/, B} as the set of coset representatives of H in < B >. Then every 
element in SL(2, Z) is uniquely written as siS 2 ■ ■ ■ Sn where is in H and each 
Sk (fc = 1, 2, . . . , n — 1) is A, A^ or B such that if Sk is in {A, A^}, then Sk+i is 
in {B} and vice versa. We note that = ±I since Sn £ H = {/, — /}. For exam- 
ple, ABA^, BAB, BABA^BABA^B A^BA^ are in the normal form. In general, 
every element can be uniquely written as a normal form with respect to genera- 
tors Ai , Bi of the modular group subject to the relations Af = Bf = 1, Af = Bf. 
Such generators can be obtained as conjugations of A and B by a matrix in the 
modular group. 
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Algorithm 1 

For an element M in the modular group, there is a linear time algorithm to find 
the normal form for M . In fact, there is an algorithm to find the normal form for 
an element of an amalgamated free product of groups. The detail of Algorithm 
1 is given in Appendix. 



We now review the action of the modular group on the upper half plane of 
the Gaussian plane. We denote the upper half plane by H, that is. 



V. = {z G C \ Im{z) > 0} 



where C is the field of all complex numbers and Im{z) is the imaginary part 
of the complex number z. Let M be a matrix in SL(2,Z). A fraetional linear 
(Mobius) transformation /m determined by the matrix M is given as follows. 
For z € C, 



fM{z) 



az + b 

CZ + d 



where M = 



a b 
c d 



It is easy to see that for z G "H, we have fniz) G "H. A 

group action of SL(2, Z) on H is naturally induced as follows: 

For M in SL(2, Z) and z G 'H Mz = fniz). Obviously SL(2, Z) acts on T~L 
in terms of fractional linear transformation. The equivalence relation on "H is 
induced by the group action as follows: For zi , Z2 G C, zi ~ Z2 if there is 
M G SL(2, Z) such that Mzi = Z2- We refer the interested reader to 0 and H2] 
for the details of the action of the modular group on the upper half plane TL. 
We now give a geometrical algorithm that finds the normal form (up to ±1) for 
a given matrix M G SL(2, Z) with respect to the matrices A and B. We define 
regions O, P, Q and R as follows: 



O = {z G C I |i?e(z)| < 1/2, 1 < |z|}, 

P = {z G C I i?e(z) > 1/2, 1 < |z|}, 

Q = {z G C I 1 > |z|, 1 > |z - 1|}, 

R = {z G C I 1 > |z|, 1 < |z — 1|} U {z G C I i?e(z) < —1/2}. 

We note that O is the fundamental domain (see ^ or m for more details of 
the fundamental domain) . We now describe the algorithm that for a given point 
z G TL which is equivalent to y G O finds the matrix N such that Nz = y and 
its normal form using geometry on the upper half plane. 



Algorithm 2 

INPUT: A point z G TL which is equivalent to the point y in the interior of O. 
OUTPUT: The matrix N such that Nz = y and its normal form with respect 
to A and B. 
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Step 0) Let 2 be the given point. Let L be the empty list ( ). 

Step 1) If z is in O, then return L and the algorithm ends. 

Otherwise go to Step 2). 

Step 2) If z is in P, then set z A~^z and push A into L from the right hand 
side, that is, 

(Xi,X2,...,X„,A) 

if L = (Xi,X 2 , . . . , Xn) where Xi is A, A^ or B. 

If z is in Q, then set z A“^z and push into L from the right hand side, 
that is, 

(Xi,X2,...,X„,A") 

if L= (Xi,X2,...,X„). 

If z is in R, then set z B~^z and push B into L from the right hand side, 
that is, 

(Xi,X2,...,X„,S) 

if L= (Xi,X2,...,X„). 

Then go to Step 1). 

Proposition 1. The algorithm above stops within 2n + I steps if the length of 
the normal form for N is n. Moreover, if L = (Xi , X 2 , ■ ■ ■ , Xn) where X^ is A, 
A2 or B, then the normal form for N with respect to A and B is X 1 X 2 . . . X„ 
up to ±1. 

Proof. We note that A and B generate SL(2, Z) and that O is a fundamental 
domain oiB. It follows that every point p on the upper half plane can be written 
as p = Mq where g is in O and M G SL(2, Z). Furthermore, it is easy to verify 
that 

AO c P, AR c P, AP c Q, AQcRuO 

and 

SO c R, BP c R, BQ c R, BRcOuPUQ. 

Suppose that N is in SL(2, Z) and that its normal form is ^' 1 X 2 . . . Xn where 
Xk is A, A^ or B for each A: = 1, 2, . . . , n up to ±/. Take an arbitrary point y 
from O. We can obtain information of the first letter of the normal form by the 
position of the point Ny on the upper half plane. If X\ is A, then Ny must lie 
in P. If X 2 is A^, then Ny must lie in Q. If Xi is B, then Ny must lie in R. 
For instance, if ^ 1 X 2 = AB, then Ny must be in P and we obtain Xi = A 
and X 2 = B. Similarly we can deduce in other cases. We should note that the 
algorithm ends exactly in n steps if the length of the normal form is n. 

To find the matrix N and its normal form with respect to A and B, one can 
employ the standard reduction algorithm (Algorithm 7.4.2. in |2I) and Algorithm 
1 in the following way. By the standard reduction algorithm we can find the 
matrix N as a product of the matrices T, T~^ and S where 
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Since we are looking for the normal form with respect to A and B, first we must 
rewrite T, T~^ and S by the words on A and B. We replace T, T~^ and S by 
AB^, BA^ and B, respectively. We note that T = AB^ and S = B hold in the 
modular group. Hence, we can write the matrix N as a, product of the matrices 
A and B. Then we get the normal form of N by using Algorithm 1. We remark 
that we do not know a bound of the running time of the standard reduction 
algorithm whereas Algorithm 2 ends at most 2n + 1 steps. The running time 
for rewriting and performing Algorithm 1 costs extra running time compared 
to Algorithm 2. Hence, Algorithm 2 is fasted than using the standard reduction 
algorithm and Algorithm 1 as long as we are looking for the normal form with 
respect to A and B. 

We remark that since we can find the normal form for a matrix M G SL(2, Z) 
with respect to the matrices A and B within liner time using Algorithm 2, we 
can also find the normal form for M with respect to the other generators A\ 
and Bi of SL(2, Z) satisfying the relations Af = 1 = Bf and Af = Bf by using 
Algorithm 1 and Algorithm 2 consecutively within linear time. 



4 A Functional Cryptosystem Using the Modnlar Group 

Let us define two backward deterministic systems using the action of SL(2, Z) 
on the upper half plane and apply the scheme of functional cryptosystems in 
Section 2. Let Ai and Bi be generators of SL(2, Z) subject to Af = Bf = 1 and 
Af = Bf. We have seen that there are infinitely many choices for Ai and Bi. 
We choose a word Vi, U on letters Ai and Bi such that Vi and U generate a 
free subsemigroup of SL(2, Z), that is, if for two words Xi,X 2 G {VijU}''’, we 
have Xi = X 2 in SL(2, Z), then Xi = X 2 as words on {VijU}. The following 
words Vi and V 2 violate the condition above. We set U = AiBi and V 2 = 
AiBiAiBi. Then we have Xi = V 1 V 2 and X 2 = V 2 V 1 , and hence, Xi = X 2 holds 
in the modular group although Xi yf X 2 as words on {Vi, U}. Furthermore, we 
require that every concatenation of Vi and V 2 is in the normal form with respect 
to Ai and Bi, that Vi is not an initial segment of V 2 and that V 2 is not an 
initial segment of U- For example, the matrices (HiAi)* and {BiAfy form a 
free subsemigroup of SL(2, Z) for all positive integers i and j and satisfy our 
requirements. It is easy to find such a pair of matrices in general using the 
combinatorics on words. We choose a matrix M arbitrarily from GL(2, R) and 
set 

Wi = M~^ViM, IV 2 = M~^V2M. 

Recall that GL(2, R) is the group of all 2 x 2 invertible matrices on the real 
number field R. We note that Wi and W 2 are SL(2, R) since for each i = 1, 2 we 
have 

det{Wi) = det{M~^ViM) = det{M~^)det{Vi)det{M) 

= = det{Vi) = 1 . 
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We should note that SL(2, R) acts on the upper half plane H in the same way 
as SL(2, Z) acts on TL in terms of fractional linear transformations. Let X = 
M~^H = {M~^q I q G TL}. Let p be a point on X such that the point Mp is 
in the interior of the fundamental domain O. Therefore SL(2, Z) acts faithfully 
on Mp up to ±7, that is, if LMp = NMp for L,N G SL(2, Z) then we have 
L = ±N. Let /m '■ X ^ TL he the fractional linear mapping defined by 

fniq) = Mq. 

Let G = M“^SL(2, Z)M. The homomorphism (f> : G ^ SL(2, Z) is given by 

(j){N) = MNM~^. 

Then it is easy to see that fM{Nx) = (j){N)fM{x) for each N G G and x G X. 
We can easily verify that ({lUi, lU 2 },p, X) and ({Vi, V 2 }, /m(p), "H) are backward 
deterministic using the uniqueness of normal forms of a matrix in the modular 
group. Obviously /m is a morphism between them. We follow the scheme de- 
scribed in Section 2 to build a functional cryptosystem using these backward 
deterministic systems. 

Public-key: The backward deterministic system {{Wi,W 2 },p,X). 

Private-key: The backward deterministic system ({Vi, V 2 }, /m(p), Tt). 

We suppose that the plaintext to be sent is the sequence i\i 2 ■■ - in where ik G 
{1, 2} for It = 1,2, ... ,n. 

Encryption method: 

Compute the matrix Wi^Wi^ . . . lTi„ and call this matrix E. We note that 

E = . . . M " . . . Vi,^M. 

Then, let E act the point p on T by the fractional linear mapping determined 
by the matrix E. Compute the point fsip) = Ep and call it q, that is, q = Ep. 
Since G acts on X, the point q is on X. Now the point q is sent to a legal receiver. 
Therefore q is the encrypted message for the original message ZiZ 2 . ■ .in- 

Decryption method: 

Employing Algorithm 2, the legal receiver finds the normal form A'iA '2 ■ . ■ Xi 
where Xk is A or or B for k = 1,2,.../ such that Mq = X 1 X 2 . . . Xi(Mp). 
We denote the matrix X 1 X 2 ■ . ■ Xi hy N. Hence, Mq = N{Mp). Since SL(2, Z) 
is generated by Ai and Bi (by our choice of Ai and Bi), both A and B are 
written as products of matrices Ai and Bi. We suppose that A = Zi{Ai,Bi) 
and B = Z 2 {Ai, Bi) where Zi{Ai, Bi) and ^ 2 (^ 1 , Hi) are words on Ai and B\. 
By substituting Zi{Ai,Bi) for A and Z 2 {Ai,Bi) for B, respectively, the legal 
receiver gets 

^ ~ Eji(Ai, Bi)Zj^{Ai, Bi) . . . Zj^{Ai, Bi) 
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where jk is 1 if is A and jk is 2 if is B. Employing Algorithm 1, the 
legal receiver obtains the normal form of N with respect to Ai and Bi. By the 
uniqueness of expression of the normal form and our requirements on Vi and 
V 2 , the legal receiver obtains the sequence ■ ■ - Vi„, and hence, the original 

plaintext 11^2 . . . 

Small example: 

We see how we encrypt and decrypt a small message. Let Vi = BA 

E 2 = BA^ = and M = . Then Wi = M~^ViM 

and W 2 = M~^V 2 M = ^ ^ 2 ) ‘ P ~ ^ 

is 121. Then fM{p) = 2i G O and 121 is encrypted as the point 

Ai — 31^(1 

q = W^W2Ww= ■ 

The legal receiver decrypts it by computing Mq= and then, feeding Mq 

to Algorithm 2. Then the normal form BABA^BA is obtained. Since V\ = BA 
and V 2 = BA^ generate the free subsemigroup of the modular group, the plain- 
text 121 is retrieved. 

Comparison with the previous work: 

In [II 4] to construct a public key cryptosystem the amalgamated free product 
structure of the modular group and the uniqueness of the normal form are used 
as in the present paper. The plaintext is a bit sequence i\i 2 ■ ■ - in and encrypted 
as the matrix E{x) = W 2 {x)Wl^ {x)W 2 {x)W{^ {x) . . .W 2 {x)Wl"-{x)W 2 {x) where 
Wi{x) and W 2 {x) are 2x2 matrices over the polynomial ring over the complex 
numbers. Decryption is done by operating the homomorphism given by the sub- 
stituting the secret key a for x in E(x) followed by the conjugation by a matrix 
M that is secret. Then ME{a)M~^ is the decrypted message and we can find 
its normal form using Algorithm 1 and the standard reduction algorithm. Then 
it must be in the form V 2 V^^V 2 Vi'^ . . . V 2 V]*” V 2 , and hence, the legal receiver can 
retrieve the plaintext iii 2 ■ ■ - in- In this cryptosystem, encrypted message is a 
2x2 matrix over the polynomial ring whereas the one in the present paper is 
a point on the upper half plane. The scheme in the present paper is based on 
the scheme of the functional cryptosystem, whereas the one in m is not. The 
author believes that basing on the scheme of the functional cryptosystem makes 
our system more or less clearer than the one in HH. 

5 Several Issues 

We briefiy discuss several issues on the proposed cryptosystem in this section. 
Since the encryption and decryption depend on the free semigroup structures 
of subsemigroups of corresponding groups and the conjugation by the elements 



-1 0 
1 11 
-3 -1 
4 1 



the plaintext 
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of GL(2, R) preserves the freeness of subsemigroups, to break the system an 
eavesdropper may want to find a matrix N in GL(2,i?) such that NWiN~^, 
NW 2 N~^ are in SL(2, Z). If the eavesdropper can find such a matrix N, he may 
be able to use Algorithm 1 and Algorithm 2 to break the cryptosystem. To find 
such a matrix N it is necessary to solve a system of matrix equations 

NWiN~^ = U, NW2N~^ = V 

where U, V, N are unknown such that U,V G SL(2, Z) and N G GL(2, R). This 
system consists of 11 equations of 12 variables over the field of real numbers. We 
note that if N is found then U, V are automatically derived. There are infinitely 
many solutions for this system of equations in principle because the number of 
the variables is larger than the number of the equations. We know a solution, 
that is, the matrices M, Vi and V 2 form one of the solutions. There is no known 
algorithm to solve the system of equations of this type as far as the author 
knows. Numerical analysis method may be able to work to solve the system of 
equation, however, it gives just an approximation of the solution N. Hence, we 
do not know whether or not numerical analysis method really works. Moreover, 
we can possibly avoid such an attack by restrict the field of real numbers to a 
finite extension field of the field of rational numbers. It is possible to realize the 
field operation of a splitting field of an irreducible polynomial over the field of 
rational numbers on computers. We should also note that N is not necessarily 
equal to M and that if N is distinct from M, the eavesdropper still has a problem 
to decrypt the message because N does not necessarily yield free generators of a 
free subsemigroup of SL(2, Z) satisfying our requirements. For, even if matrices 
U\ and U 2 , words on generators A 2 and B 2 of SL(2,Z) subject to the relations 
A\ = 1 = B 2 and form a set of free generators of a free subsemigroup, 

a concatenation of them is not necessarily in the normal form with respect to 
A 2 and B 2 , and hence, there is still a trouble to retrieve the plain text. 

Another possible attack is to find the matrix E and decompose it directly 
to the product of W\ and W 2 . There might be a smart way to find and decom- 
pose the matrix E. Of course, if the matrix E is found, then the eavesdropper 
can decompose E by guessing the decomposition and then checking whether or 
not it gives the correct answer. However, this is a non-deterministic polynomial 
time algorithm and so takes exponential time. Hence, it is slow for the brea- 
king the system. Therefore, the backward deterministic system {Wi, W 2 ,p, A) is 
considered intractable. On the other hand, the backward deterministic system 
(hi, V 2 , fM{p),'H) is tractable because we can employ geometry of the upper half 
plane. In mathematics, geometry often provides a fast algorithm as Algorithm 
2. The first backward system is associated to the space X which is intractable, 
on the other hand, the second system is associated to the upper half plane that 
we have good understanding. The difference between the two systems lies in 
geometry. 

Another issues on the cryptosystem is the practicality. The proposed cryp- 
tosystem is fairly experimental, and hence, the practicality has not been inve- 
stigated so far. Several issues to be considered are expansion of messages, key 
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sizes and rounding errors among others. Expansion of messages happens in the 
proposed cryptosystem. To avoid this we may want to find an alternative group 
action and the backward system such that expansion does not happen. 
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Appendix: 

INPUT: A decomposition u\U2 ■ ■ - Un of an element g in G\ *Hi=H2 G2 as a pro- 
duct of alternate sequence of elements from Gi and G2 
OUTPUT: The normal form S1S2 ■ ■ - Sn of g. 

Step 0) We note that ui £ Gi or G2. We now assume that ui £ Gi. Then 
we have ui = siui where si is a representative of H in Gi and v\ £ H. We 
rewrite g as 



g = S 1 V 1 U 2 U 3 ...u, 
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We note that Si G Gi and U 2 G G2- In the case that Ui G G2, we do the similar 
process. 

Step 1 ) We suppose that we have 



g — 51^2 . . . s^v^UtUt^i . . . Un 

where Vm & H and Si is a representative of Gi or G 2 for i = 1 , 2 , ... m such that 
if Si G Gi then s^+i G G2 or vice versa and also if Sm G G\ then Ut G G2 or vice 
versa. If there is no Uj in the sequence, we have a sequence of the form 

g = Si 52 • ■ ■ 

where Vm is in H . Set Sm+i ^ Vm- Then we return the normal form 



g — 5 i 52 • • • 



and the algorithm terminates. 

Now we assume that is a representative of Gi . Then Ut is in G2 and we can 
write VmUt = Sm+iVm+i where Sm+i is a representative of G2 and Vm+i G H. 
Step 2 ) 

If Sm+i 4 - ^1 then we have 



g — S1S2 • ■ • ■ • • Un- 

We should note that Sm+i G G2 and Ut+i G G2. Then go to Step 1 ). 

If Sm+i G H, then we have SmSm+iVm+iUt+i G G\ since SrmUt+i G G\ and 
Sm+i,Vm+i € H C Gi- Then we have 



where is a representative of Gi and v!^ G H. Then set Sm ^ and Vm ^ v'^. 
Then we have 

g = 5 i ^2 ■ • ■ SjYiVjYillt-^2 • • • 

We should note that Sm G Gi and Ut +2 G G2 if it exists (as Ut G G2). 

In the case that Sm is a representative of G2 and ut is in Gi, we do the dual 
procedure. Then go to Step 1 ). 

At each stage of Step 2 ), the number of Uk’s is reduced. Hence, the algorithm 
ends within at most 2 n + 1 steps if the length of the input is n. Therefore, 
Algorithm 1 takes only linear time. 
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